Skip to Content
Author's profile photo Megha Chatterjee

Handling CSRF tokens in SAP Cloud Platform Integration

What is a CSRF token?

CSRF or Cross-Site Request Forgery is a type of attack that occurs when a malicious web site or any program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Enabling the website or program to require CSRF tokens to invoke it, is one of the ways of preventing this attack.

How it works

Services which are hosted on SAP Gateway require CSRF token validation. In this example, we’ve used a gateway URL for testing.

  1. Fetch the CSRF token

Use the metadata URL of the gateway service to fetch the CSRF token.

(The URL for fetching the csrf token differs from application to application. For workflow services, append ‘xsrf-token’ to the URL.


Perform a GET call and pass the following header:

Key: X-CSRF-Token

Value: fetch


In response, you will get the CSRF token as a header.

  1. Invoke the service with the CSRF token obtained from the previous call

Copy the CSRF token obtained from the previous call and paste it in the header of the post call, as shown below.


If the validation is unsuccessful, you will get a 403 – forbidden error, which means that the CSRF token validation failed. In such cases, check if the user has roles to trigger the URL and make sure you’ve copied the CSRF token from the previous call, properly. If there are no errors, you will get a 200 or 201 response.


Implementing it in SAP Cloud Platform Integration

Now let’s see how to implement the above in SAP Cloud Platform Integration.

Here, just passing headers will not be enough. We will also have to take care of the session cookies, which are internally handled by any REST client.

In the above example, we can view the session cookies being created, by adding the interceptor add-on in Postman.

We’ll be implementing this logic of retrieving the cookies using a groovy script.




Components used:
1 Sender Channel HTTPs Sender channel to trigger the Iflow
2 Content Modifier 1 Set the header ‘x-csrf-token’ to fetch the CSRF token
3 Request Reply 1 Uses an HTTP channel to perform a get call to the gateway metadata URL.
4 Script Fetches and set the session cookies
5 Content Modifier 2 Sets the content type and the payload for the post call
6 Request Reply 2 Uses an HTTP channel to perform the final POST call


  1. HTTPs Sender Channel


         2. Content Modifier 1


  1. Request Reply 1 – HTTP Receiver Channel


  1. Script
import groovy.xml.*;
def Message processData(Message message) 
    def headers = message.getHeaders();
    def cookie = headers.get("Set-Cookie");
    StringBuffer bufferedCookie = new StringBuffer();
    for (Object item : cookie) 
        bufferedCookie.append(item + "; ");      
    message.setHeader("Cookie", bufferedCookie.toString());
    def messageLog = messageLogFactory.getMessageLog(message);
    if(messageLog != null)
        messageLog.setStringProperty("Logging_Cookie", bufferedCookie.toString());
    return message;


  1. Content Modifier 2

For testing purposes, I’ve set the payload in the content modifier


  1. Request Reply 2 – HTTP Receiver Channel


Once the IFLOW is deployed and triggered, you can see the cookie being set in the POST call, in the MPL logs and also in the response header in Postman.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh

      Well done. It is great to see this from you. Very neat and explanatory stuff with lot of screenshots make this a very good resource for reference.

      Author's profile photo Kevin Teeling
      Kevin Teeling

      Great Blog post, very clearly explained. Thank you

      Author's profile photo Axel Albrecht
      Axel Albrecht

      Please don't use this script when you have Session Handling enabled in your integration flow. The flow itself will take care that cookies with the same scope are re-used across calls.

      Author's profile photo Jacques-Antoine Ollier
      Jacques-Antoine Ollier

      Excellent point!

      Author's profile photo Praveen Ravula
      Praveen Ravula

      Does session handling takes care of CSRF Token fetching part as well?


      Author's profile photo Axel Albrecht
      Axel Albrecht

      no Praveen. Some adapters are doing this automatically if configured, for other adapters you have to do this yourself. The session handling is independent on that.

      Author's profile photo Praveen Ravula
      Praveen Ravula

      Thanks for your reply. What is the retry mechanism used by supporting adapters? Sometimes I am seeing 403 issue with Stale cookies and CSRF Tokens in POSTMAN. Does it ever happen with Integration flows?

      Author's profile photo Sugandhan Vazhumuni
      Sugandhan Vazhumuni

      Great post. This helped alot in understanding the process

      Author's profile photo Artem Kovalov
      Artem Kovalov

      Thanks for highlighting the cookies part.

      Author's profile photo Jacques-Antoine Ollier
      Jacques-Antoine Ollier

      Very clear! Thank you!

      Author's profile photo Nikhil Walsetwar
      Nikhil Walsetwar

      Thank you so much Axel Albrecht  for highlighting it. Attaching the related screenshot for other's reference.

      Author's profile photo Thamizharasan Mohan
      Thamizharasan Mohan

      Hi Nikhil Walsetwar


      Thank you for the screenshot. Is there a way to pass the body which comes from the client / postman to request reply 2.