CSRF Token Validation Failed in POST method in Gateway Client
With latest version of S/4 Hana, we get “CSRF Token Validation Failed” in Gateway client (T-code: /IWFND/GW_CLIENT). In previous version of S/4 Hana, this error were not raised when testing in Gateway client or API testing tool such as Postman. But, the latest version of S/4 Hana raises this error as it follows a stricter X-CSRF rule. Check out the note 2597429 for more information.
- The Cookie has to be set along with X-CSRF-TOKEN in POST request header.
- Use Postman to test the API, as the length of the cookie may exceed 255 char. The maximum length of the module pool field is 255. Hence, we cannot set the cookie value properly in request header in Gateway Client. So, Postman is preferred.
Fetch CSRF Token and Cookie and Set in POST request:
To fetch the CSRF token, we will call a GET API. Either we can use the same OData API which we will use to push the data or we can have a separate API which can be used centrally to fetch the CSRF token and cookie.
To fetch the CSRF token, please maintain the header parameter of request as below as below. After that please click on “save”.
(Header parameter in request to fetch CSRF Token)
Once we click on the “Send” button, we will get the response as below. We can see status is “200”, which means the call is success. We can see the CSRF token and cookie has been retrieved.
We can see CSRF token and Cookie has been retrieve. We can see 2 entries for the cookie. So, both the value has to be concatenate with semicolon “;” as separator.
Provide the CSRF token and Cookie been retrieve in previous step in post method.
We can see the data is posted successfully.
We saw how we can fetch the CSRF token and Cookie using a GET request and how to set those in the POST request. Doing so, the issues with CSRF token will be resolved.
Please follow the blog post to see how the fetching and setting of CSRF token and cookie can be automated in Postman.