Hi experts,
a Python Flask app shall be deployed to an SAP BTP Cloud Foundry subaccount with a web server handling security (XSUAA). The app appears to work well during local tests, or when XSUAA is locally simulated. However, as soon as the app is pushed to the BTP subaccount with XSUAA any modifying POST results in a 'Forbidden' response. When analyzing the respective logs, this response stood out: "POST request to /curate/279/update completed with status 403 The request does not contain a x-csrf-token".
I did attempt to implement the following code to obtain the x-csrf-token in GET and use it in the header in POST, but failed to obtain a value for x-csrf-token in GET.
Perhaps one of you could help figure out how I could get a value for x-csrf-token in GET?
Thank you.
# x-csrf-token
lbl_csrf = 'x-csrf-token'
headers = {lbl_csrf: 'Fetch'}
url_suffix = f"{id}/update"
endpt_url = '/'.join([xsuaa_service_url(), url_suffix])
x_csrf_token = None
...within a Blueprint route definition I included this code:
## Connect to the server
with requests.Session() as s:
response = s.get(endpt_url, headers=headers, cookies=s.cookies)
if response and hasattr(response, 'headers' )
current_app.logger.info("GET headers: %s, cookies: %s",
response.headers, response.cookies)
if hasattr(response.headers, lbl_csrf )
x_csrf_token = response.headers[lbl_csrf]
current_app.logger.info("GET: x-csrf-token: %s", x_csrf_token)
if request.method == 'POST':
# x-csrf-token
if x_csrf_token:
headers={'Content-Type':'application/json', lbl_csrf: x_csrf_token}
with requests.Session() as s:
resp = s.post(endpt_url, headers=headers, cookies=s.cookies)
current_app.logger.info("POST headers: %s, %s", resp, headers, s.cookies)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.