In the current version, several changes have been made to further improve security. The following xSuite parameters (transaction /WMD/XF_PARAM) were added:

XF_VSCAN_PROFILE

This parameter can be used to specify a particular virus scanner profile. If the parameter is not set, the default profile /SCMS/KPRO_CREATE will be used. /SCMS/KPRO_CREATE corresponds to the SAP default value.

This concerns uploads from xSuite Web and SAP Fiori including payment terms. This profile is also set accordingly when archiving image data via the /WMD/FP_IMPORT import interface.

XF_HTTP_NO_SNIFF

If this parameter is set to X, the web service handler sends an instruction to the browser to always use the specified response type for each response. This prevents a potentially malicious script from being executed. However, it could cause problems when displaying the images via the web service handler and setting it to display the image in an iFrame.

The web service handler now also sends additional security-relevant parameters to the browser in order to exclude possible attacks from the outset, provided that the browser implements the parameters as is required. The "http response header referrer policy" and the "permissions policy" are worth mentioning here.

Furthermore, the already existing parameter XF_MAX_UPLOAD_SIZE is taken into account when creating payment requests via xSuite Web and SAP Fiori. This parameter sets the maximum allowed size of attachments. For payment requests, the maximum size refers to the size total of all attachments for security reasons.