A token-based protection against CSRF is active by default in SAP Netweaver Gateway and SAP HANA XS Fiori OData services. It protects all modifying requests.