Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

Concept and Need:

A CSRF token is a unique, secret, and unpredictable value that is generated by the server side and transmitted to the client to prevent CSRF attacks. The client includes the token in every subsequent modifying (create, update, and delete) request. The server-side application validates the request and rejects, if the expected token is missing, invalid, or expired. This protects the application from unauthorised modification of the database by a malicious entity.

Most SAP APIs have X-CSRF enabled for the create, update and delete operations to protect the APIs against CSRF attacks. As a part of this feature, we are providing the option to capture an action as X-CSRF relevant. Since GET requests do not change the state of a database, X-CSRF capability cannot be configured for a GET action.


Parent Blog:

 Actions Editor – Feature List, Usage and Maintenance of Actions Project

As of today, there are 2 ways to configure a X-CSRF token fetch endpoint in Action Editor:

  1. Configure a global token fetch endpoint in the Project Settings dialog.
  2. Support addition of X-CSRF-TOKEN header from the Parameter table.


Approach 1: Configure a global token fetch endpoint for an Actions Project

1. Click on the project settings icon. This will open the project settings dialog.



2. Now configure and save the token fetch endpoint. This endpoint will be applied to all the modifying actions in the project.


After the global token fetch endpoint is configured, it will appear on the top right hand corner of the action details section as shown below.


3. Action designer can also provide a token fetch endpoint specific to an action. This endpoint will override the global endpoint configured in the beginning.

Screenshot 2024-04-03 at 4.15.29 PM.png

Note: In certain cases, the GET call to the token fetch endpoint can return a huge response. We suggest adding $top = 1 to the endpoint or just having / in such cases. E.g., the endpoint can be /A_BusinessPartner?$top=1 or  /.

4. Execute the action.

Screenshot 2024-04-03 at 4.15.39 PM.png


Approach 2: Support addition of X-CSRF-TOKEN header from the Parameter table

1. Disable the global X-CSRF protection from the Project Settings dialog.


2. Add a header parameter X-CSRF-TOKEN of type string in the Parameter table.


3. Provide the value for the X-CSRF-TOKEN in the Test interface.


4. Execute the action


Note:  It is possible to disable/enable CSRF at the destination level e.g., X-CSRF could be enabled in the production environment but disabled in the development environment. To achieve this, we need to add a boolean property sap.lcnc.fetchXcsrf under the Additional Properties section of the destination configuration and set its value to true/false.


Thanks for reading and I hope it helped to understand the concept of configuring X-CSRF using Actions Editor. Please feel free to leave a comment if there are any questions and I would be happy to receive any feedback.