Select language:

CSRF Protection

Use

On change requests (PUT, POST, and DELETE) of REST clients to an ABAP server, the client has to provide a CSRF (Cross-Site Request Forgery) token.

Such a token can be retrieved via a previous service call to the ABAP server. For this, first on a none-changing call (GET, HEAD, OPTIONS), the client has to get this token by setting the HTTP header X-CSRF-Token to the value Fetch. A CSRF token is returned by the ABAP server in the same header and can be used for subsequent, server state changing calls using header X-CSRF-Token.

If this header is not present on a server state changing REST call, the server will respond with a HTTP 403 ("Forbidden") return code, the HTTP header is set to "Required" and an error text (for example, "CSRF token validation failed") is returned.

Process

This is the code fragment for setting the CSRF token header fetch request on the REST client.

            lo_rest_client->set_request_field(
    name  = if_rest_request=>gc_header_csrf_token
    value = 'Fetch' ).

         

On a successful response of a call with the fetch value, the returned CSRF token can be kept for later state changing REST requests. This is the code fragment for reading the CSRF token from a successful server response.

            data: lv_csrf_token type string.
  lv_csrf_token = lo_rest_client->get_header_field( 
    name = if_rest_request=>gc_header_csrf_token ).

         

A question which comes up right away: How long can you use the CSRF token now?

The validity of the CSRF token depends on the release of the ABAP component SAP_BASIS and on the activation of the security session management (which is controlled via the transaction SICF_SESSIONS on the granularity of SAP clients):

  1. Release < 7.03/7.31 or the security session management is inactive: An own CSRF cookie gets generated (sap-XSRF_<SystemID>_<SAPClient>) and this CSRF token remains valid for 24 hours (86400 seconds).

  2. Release >= 7.03/7.31, the validity is bound to the security session, which depends on the system parameter http/security_session_timeout value (see transaction RZ11 for details on this parameter). By default, the security session management is active in these releases.