Skip to Content
avatar image
Former Member

Retrieve X-CSRF-Token from sapes1 ZGWSAMPLE_SRV


x-posted from:

I have successfully retrieved the "X-CSRF-Token" token value for a number of the other odata services (eg ZCD204_EPM_DEMO_SRV) on sapes1 but I'm unable to get a response that includes the cookie & header being set in the response when accessing .

My username and password are correct, I can retrieve data in ZGWSAMPLE_SRV but when i set "X-CSRF-Token" to "Fetch" the response headers do not include a "X-CSRF-Token" entry.

Using the "REST Console" in chrome I can provide the details of a failing request.

Request Headers:

Authorization: Basic SOMEVALUE

X-CSRF-Token: Fetch

Accept: */*

Connection: keep-alive

Content-Type: application/xml

Origin: chrome-extension: //rest-console-id

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Response Headers:

Status Code: 200

server: SAP NetWeaver Application Server / ABAP 702

dataserviceversion: 2.0

ntcoent-length: 2574

content-type: application/atomsvc+xml

The CSRF token header is missing.

Am I doing something wrong? Is the service mis-configured? What do I need to try to overcome this?



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Jan 13, 2015 at 08:44 AM

    Hi Thomas,

    the check of the X-CSRF-Token is deactivated for that service, that´s why the ICF does not create tokens. If you start transaction SICF and navigate to you service node, view the service details and press button "GUI configuration" on the tab Service Data. There you can see the parameter ~CHECK_CSRF_TOKEN = 0, which means "deactivated".

    Unfortunately you can not change it by yourself. You may switch to edit mode and change the parameter, but when you try to save it, an error message will show up (that happens for my user, at least).

    Official guidance is provided here:

    Best regards,


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Ringo,

      Thanks for the info, helped a lot, looks like that service is setup in "Compatibility Mode for SP02" mode. So using 'X-Requested-With=XMLHttpRequest' allowed me to post modifying requests.

      (Apologies for the ignorance on the SAP side of things, I'm not a SAP guy, just a developer trying to integrate with a client SAP system).