Skip to Content
Apr 12 at 03:57 PM

Does SAP already protect my BTP Cloud Foundry app against Denial of Service atacks?


Hello SAP BTP Security Experts,

I'm helping my clients to get their CAP based multitenancy apps deployed to BTP Cloud Foundry. For one app we've executed a pentest and got the finding that there is no rate limiting in place.

Without such a rate limit it is possible that a Client using Tenant A issues so many requests that it slows down requests to made by Clients to Tenants B and C.

In the documentation Developing Resilient Apps on SAP BTP: Rate Limiting I've only found some general overview but no concrete tips. Also SAP BTP, Cloud Foundry Runtime - Scope and Limitations doesn't provide the details I would need. I've also checked the SAP Support page: My Trust Center without success.

As far as I know SAP BTP Cloud Foundry in general is accessed via a F5 Load Balancer. It would be good to know if already here any rate limiting is implemented.

The first endpoint that I can influence in the Cloud Foundry environment is the approuter. In the @sap/approuter documentation I haven't found any hint regarding rate limiting or other limits that I could set. Looking at the Sizing Guide for HTTP Traffic it seems that the approuter can handle quite some load. If I would like to implement my own rate limiting (which I think isn't a good idea) I could follow the guide on Extending Application Router. But I hope there is a better way.

Looking forward for your input.