The UI5 Server module provides server capabilities for local development of UI5 projects.
<script setup> import VPButton from "vitepress/dist/client/theme-default/components/VPButton.vue" </script>::: warning Development Use Only The UI5 Server is intended for local development purposes only. It must not be exposed to untrusted parties or used as a public-facing web server.
The server does not implement safeguards against various network-based attacks — this is by design, as it is not meant to serve production traffic.
Please be aware of the following risks when using the server:
- Custom middleware from third parties can execute arbitrary code on your system and may introduce additional security vulnerabilities when the server is exposed to a network.
- Proxy middleware configured with credentials may enable unauthorized access to the target system for other parties on the same network.
- Using
--accept-remote-connectionsmakes the server reachable from all hosts on your network, which significantly increases the attack surface.
:::
::: info Removed Middleware
The serveThemes middleware has been removed in UI5 CLI v5. Theme compilation is now handled by the buildThemes build task, which pre-compiles all theme CSS files. The resulting CSS files (including library.css, library-RTL.css, library-parameters.json, and CSS Variables resources) are served via the serveResources middleware, providing the same functionality with better performance through build-time compilation and caching.
Custom middleware previously referencing serveThemes via beforeMiddleware or afterMiddleware will continue to work with automatic remapping and a deprecation warning. See the v5 migration guide for details.
:::
All available standard middleware are listed below in the order of their execution.
A project can also add custom middleware to the server by using the Custom Server Middleware Extensibility.
| Middleware | Description |
|---|---|
csp |
See chapter csp |
compression |
Standard Express compression middleware |
cors |
Standard Express cors middleware |
discovery |
See chapter discovery |
serveResources |
See chapter serveResources |
testRunner |
See chapter testRunner |
versionInfo |
See chapter versionInfo |
nonReadRequests |
See chapter nonReadRequests |
serveIndex |
See chapter serveIndex |
The Content Security Policy (CSP) middleware is active by default.
The header content-security-policy can be set by adding URL parameter sap-ui-xx-csp-policy to the request with the policy name as value.
To set the policy to report-only, append :report-only or :ro to the policy name.
E.g. /index.html?sap-ui-xx-csp-policy=sap-target-level-1:report-only
The default CSP policies can be modified using parameter sendSAPTargetCSP (--sap-csp-policies when using the CLI).
With sendSAPTargetCSP set to true the policies sap-target-level-1 and sap-target-level-3 policies are activated and send as report-only.
Serving of CSP reports can be activated with parameter serveCSPReports (--serve-csp-reports when using the CLI).
With serveCSPReports set to true, the CSP reports are collected and can be downloaded from the server path /.ui5/csp/csp-reports.json.
This middleware lists project files with URLs under several /discovery endpoints. This is exclusively used by the OpenUI5 test suite application.
This middleware resolves requests using the ui5-fs-file system abstraction.
The following file content transformations are executed:
- Escaping non-ASCII characters in
.propertiestranslation files based on a project's configuration - Enhancing the
manifest.jsonwith supported locales determined by available.propertiestranslation files
Serves a static version of the UI5 QUnit TestRunner at /test-resources/sap/ui/qunit/testrunner.html.
Generates and serves the version info file /resources/sap-ui-version.json, which is required for several framework functionalities.
Answers all non-read requests (POST, PUT, DELETE, etc.) that have not been answered by any other middleware with the 404 "Not Found" status code . This signals the client that these operations are not supported by the server.
In case a directory has been requested, this middleware renders an HTML with a list of the directory's content.
As with the UI5 Builder, a set of standard tasks is being executed during a server build. However, the following tasks are being excluded by default:
minifygenerateLibraryPreloadgenerateComponentPreloadgenerateBundle
::: info See Builder Standard Tasks for more explanation about each task. :::
The UI5 Server performs a build of the projects by utilizing build caches.
You can control the build cache behavior using the --cache option:
--cache Default(default): Use the cache if available, create it if missing--cache Force: Only use the cache; fail if the cache is unavailable or invalid--cache ReadOnly: Use existing cache but don't update it (useful for CI/CD)--cache Off: Disable caching entirely and always perform a full rebuild
Example:
ui5 serve --cache OffIn this scenario, when a source file changes and a request comes in, the server always performs a full rebuild, even if this source version existed previously.
::: info
By default, build caches created by ui5 build and ui5 serve are separate and cannot be mixed. Each command executes a distinct set of tasks, resulting in separate caches tailored to its specific use case. For more details on builder caching, see the UI5 Builder documentation.
:::
Once started with ui5 serve, the server automatically monitors changes to the source files throughout the session. When a request arrives, it checks for cached results first and only triggers a rebuild of the respective resources and tasks if no cache is available.
- Monitored files: All files in your project's source directories (
src/,webapp/,test/, etc.) - Not monitored: Configuration files (
ui5.yaml,package.json), custom task implementations, and dependency files
::: info Changes to configuration files or custom tasks require a server restart to take effect. :::
When starting the UI5 Server in HTTPS- or HTTP/2 mode, for example by using UI5 CLI parameter --h2, you will be prompted for the automatic generation of a local SSL certificate if necessary.
Follow the given instructions and enter your password to install the generated certificate as trusted. You can find the generated certificate and corresponding private key under .ui5/server in your user's home directory.
::: tip If Chrome unintentionally redirects an HTTP-URL to HTTPS, you need to delete the HSTS mapping in chrome://net-internals/#hsts by entering the domain name (e.g. localhost) and pressing "delete".
:::
<style> .no-decoration { text-decoration: inherit; } </style>