cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can X-CSRF Token have Static/ Constant value in ODATA?

Go to solution
former_member663752
Explorer

on ‎06-01-2020 9:24 AM

0 Kudos

Hello Experts,

I need some pointer on X-CSRF-Token, Is it possible to have Static/ Constant value for X-CSRF-Token instead of using Fetch every time?

My client requirement is they don't want to disable it and pass 'X' value for header 'X-Requested-With' instead they want some long value for X-CSRF-TOKEN but tat should be constant. They don't want to fetch new value every time.

So is it possible in SAP to Set one value for X-CSRF-TOKEN in ODATA?

Thank You,

Sagar

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member663752
Explorer
‎06-15-2020 11:58 AM
0 Kudos

I have solved the problem With disabling CSRF check in SAP and Created New Header 'X-SAP-KEY' and Set some long value ( Like e.g. - lHyka-k6j9-Pa90-jap==== ) in one of my custom table and gave it to other team and ask them to pass this header with this value in Method call and also ask to pass Header 'X-Requested-WITH' with value 'X' to notify that CSRF is disabled.

so when SAP receives call Codes check this header with the saved value.

Using this logic, Dynamic token is disabled and we are still able to use static value to verify secure connection well not like CSRF but they wanted like this so we have implemented like this.

In my case the other system was Non-Sap system and with dynamic token there efforts were increasing so we implemented this functionality.

Show replies
Show replies

Answers (2)

Answers (2)

gregorw
Active Contributor
‎06-01-2020 9:33 AM

Dear Sagar,

I suggest your client should read through Cross-site request forgery and especially the recommendation:

"The CSRF token itself should be unique and unpredictable."

What's the issue with the additional request? Does that bring down performance so much?

Best regards
Gregor

Show replies
Show replies
luis_sismeiro
Participant
‎06-01-2020 12:05 PM
0 Kudos

Hi Sagar,

You can disable the CSRF token. Please refer to the link:

https://help.sap.com/saphelp_gateway20sp12/helpdata/en/e6/cae27d5e8d4996add4067280c8714e/frameset.ht...

It is not recommended, it will go against all security best practices.

KR,

Luís

Show replies
Show replies
former_member663752
Explorer
‎06-02-2020 7:23 AM
0 Kudos

This solution is already in used, but they are saying this X value looks simple and they also don't want to use Dynamic token.

Ask a Question