Hello,

for my work i use the Overview | Maintenance Notification | SAP API Business Hub API. Testing the API via the Postman works very well all the GET/PUT/POST requests do function and don't produce any issues at all.

In order for a POST or PUT request to function it is necessary to have the csrf-token for it as well as the cookie, both could be gotten via a GET Request.

Now those requests implemented in simplifier (IDE), don't function that well. There are no issues with GET requests , however, PUT/POST, are an issue.

Erorr: "The Http request was not successful due to the client error: [403: Forbidden - The request was a legal request, but the server is refusing to respond to it.] Response: CSRF token validation failed". What to do about it?

Question 1. Should only the cookie and csrf-token be handed over, are there additional mandatory fields that also should be send ?

Question 2. GET request, depending on the verbosity can generate one "Set-Cookie" or almost 6. which one should be handed over ? What formatting? Example: "Set-Cookie": "SAP_SESSIONID=DfdggdsgsdaG-GP22ptVuUQVh81fQdsadasddsa%3d; Path=/". Should the path be let out ?

Question 3. what is the correct writing of csrf-Token and cookie when handing over? There are multiple versions

• x-csrf-token; X-CSRF-Token;
• cookie; Cookie; set-cookie; Set-Cookie