Skip to Content

XSJS - Ajax Post Error 403(Forbidden)

Hi Experts,

I have created an xsjs to write into the tables.

I have created a simple ajax post call.

I have created this about a week ago and everything was working fine till today.
Today i am getting the error : 403 Forbidden in Chrome,

In morzilla it is giviing the error Request execution failed due to missing or invalid XSRF token

The details are as below:

I am not sure what is the reason. . . and i have not changed any system values/priviledges.

Any Idea on that ?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Posted on Sep 30, 2015 at 08:50 AM

    Hi friend,

    Please first check the prevent_xsrf keyword in the application-acess (.xsaccess) file.

    If the value of prevent_xsrf keyword of is true, it can cause this problem.

    the topic Cross-Site Request-Forgery Recommendation in HANA developer guide might be helpful.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jul 26, 2016 at 09:17 AM


    if you work with Postman or with CORS mechanism, add "cors" object is your xsaccess file :

      "exposed": true,
      "authentication": {
       "method": "Form"
    }, "cache_control": "must-revalidate", "cors": { "enabled": true, "allowMethods": [ "GET", "POST", "HEAD", "OPTIONS"
    ], "allowOrigin": ["*"], "maxAge": "3600"
    }, "enable_etags": false, "force_ssl": false, "prevent_xsrf": false

    It works but i recommend to use a proxy like Nginx.

    Best Regards


    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 08, 2016 at 12:15 PM

    Hi Pinaki

    I have the same problem, did you find a solution ?


    Add a comment
    10|10000 characters needed characters exceeded

    • "prevent_xsrf": false does not do the trick for me :-(

      I am on HANA 9703. I simply created a totally new XSJS project "d2" with a basic (standard template) XSJS program named "std.xsjs". Next, I made the aforementioned change to .xsaccess file to reset prevent_xsrf, and activated it.

      Using Postman. If I run a GET on this path (https://.../d2/std.xsjs) then I get a login form. If I run POST on this path then I get a 403. It seems bizarre.

      Even more strange is that if I enable CORS while prevent_xsrf is false, I no longer get 403s. Probably because the cors setting somehow sneaks in all http methods. But I do not want to enable CORS... so it's back to square one.

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.