
A CSRF token is a unique, secret, and unpredictable value that is generated by the server side and transmitted to the client to prevent CSRF attacks. The client includes the token in every subsequent modifying (create, update, and delete) request. The server-side application validates the request and rejects, if the expected token is missing, invalid, or expired. This protects the application from unauthorised modification of the database by a malicious entity.
Most SAP APIs have X-CSRF enabled for the create, update and delete operations to protect the APIs against CSRF attacks. As a part of this feature, we are providing the option to capture an action as X-CSRF relevant. Since GET requests do not change the state of a database, X-CSRF capability cannot be configured for a GET action.
Actions Editor – Feature List, Usage and Maintenance of Actions Project
As of today, there are 2 ways to configure a X-CSRF token fetch endpoint in Action Editor:
1. Click on the project settings icon. This will open the project settings dialog.
2. Now configure and save the token fetch endpoint. This endpoint will be applied to all the modifying actions in the project.
After the global token fetch endpoint is configured, it will appear on the top right hand corner of the action details section as shown below.
3. Action designer can also provide a token fetch endpoint specific to an action. This endpoint will override the global endpoint configured in the beginning.
Note: In certain cases, the GET call to the token fetch endpoint can return a huge response. We suggest adding $top = 1 to the endpoint or just having / in such cases. E.g., the endpoint can be /A_BusinessPartner?$top=1 or /.
4. Execute the action.
Approach 2: Support addition of X-CSRF-TOKEN header from the Parameter table
1. Disable the global X-CSRF protection from the Project Settings dialog.
2. Add a header parameter X-CSRF-TOKEN of type string in the Parameter table.
3. Provide the value for the X-CSRF-TOKEN in the Test interface.
4. Execute the action
Note: It is possible to disable/enable CSRF at the destination level e.g., X-CSRF could be enabled in the production environment but disabled in the development environment. To achieve this, we need to add a boolean property sap.lcnc.fetchXcsrf under the Additional Properties section of the destination configuration and set its value to true/false.
Thanks for reading and I hope it helped to understand the concept of configuring X-CSRF using Actions Editor. Please feel free to leave a comment if there are any questions and I would be happy to receive any feedback.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
24 | |
23 | |
22 | |
15 | |
13 | |
10 | |
9 | |
7 | |
7 | |
6 |