Skip to Content
Technical Articles
Author's profile photo Gourab Dey

CSRF Token Validation Failed in POST method in Gateway Client


With latest version of S/4 Hana, we get “CSRF Token Validation Failed” in Gateway client (T-code: /IWFND/GW_CLIENT). In previous version of S/4 Hana, this error were not raised when testing in Gateway client or API testing tool such as Postman. But, the latest version of S/4 Hana raises this error as it follows a stricter X-CSRF rule. Check out the note 2597429 for more information.

Issue Resolution:

  • The Cookie has to be set along with X-CSRF-TOKEN in POST request header.
  • Use Postman to test the API, as the length of the cookie may exceed 255 char. The maximum length of the module pool field is 255. Hence, we cannot set the cookie value properly in request header in Gateway Client. So, Postman is preferred.

Fetch CSRF Token and Cookie and Set in POST request:

To fetch the CSRF token, we will call a GET API. Either we can use the same OData API which we will use to push the data or we can have a separate API which can be used centrally to fetch the CSRF token and cookie.

To fetch the CSRF token, please maintain the header parameter of request as below as below. After that please click on “save”.

(Header parameter in request to fetch CSRF Token)

Once we click on the “Send” button, we will get the response as below. We can see status is “200”, which means the call is success. We can see the CSRF token and cookie has been retrieved.

(Response from GET API)

We can see CSRF token and Cookie has been retrieve. We can see 2 entries for the cookie. So, both the value has to be concatenate with semicolon “;” as separator.

Provide the CSRF token and Cookie been retrieve in previous step in post method.

We can see the data is posted successfully.


We saw how we can fetch the CSRF token and Cookie using a GET request and how to set those in the POST request. Doing so, the issues with CSRF token will be resolved.

Please follow the blog post to see how the fetching and setting of CSRF token and cookie can be automated in Postman.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Shweta Jain
      Shweta Jain

      Awesome.. Worked for us ..

      Author's profile photo Gourab Dey
      Gourab Dey
      Blog Post Author

      Hi Shweta, nice to hear it helped you.



      Author's profile photo Kisito Nzonji
      Kisito Nzonji

      Unfortunately this didn't work for me.
      Also tried disabling the CSRF Token check as described in

      But this didn't help either.
      Any Ideas what else i could be missing?

      Thanks in advance

      Author's profile photo Mohamed Salah
      Mohamed Salah


      where do i get the ZGEN_TOKEN_SRV service from ?

      Author's profile photo Mahesh Raghavaraju
      Mahesh Raghavaraju

      Hi Gourab,

      I am getting only one cookie and when passed still facing error.

      BR, Mahesh R.

      Author's profile photo Mahesh Raghavaraju
      Mahesh Raghavaraju

      I was able to fix it by getting all the cookies with below syntax and passing it on to POST Request

      *** Get Cookies from Get call
        METHOD if_web_http_response~get_cookies.
              cookies = r_value
          check_error( ).
      *** Loop and set all the cookies to the POST Request
                LOOP AT lt_cookies ASSIGNING FIELD-SYMBOL(<cookie>).
                  lo_request->set_cookie( i_name = <cookie>-name
                             i_path = <cookie>-path
                             i_value = <cookie>-value
                             i_domain = <cookie>-domain
                             i_expires = <cookie>-expires
                             i_secure = <cookie>-secure  ).
      <<< Below Just FYI >>>
        METHOD if_web_http_request~set_cookie.
              name    = i_name
              path    = i_path
              value   = i_value
              domain  = i_domain
              expires = i_expires
              secure  = i_secure
          r_value = me.
          check_error( ).
      Author's profile photo Hendrik Leusmann
      Hendrik Leusmann

      Hi together,

      Is there a way of still using GW_CLIENT and not disabling the csrf-checks for all requests (independend from the source GW_CLIENT or call from outside the system)?

      For debugging reasons I really like the /IWFND/ERROR_LOG and the "replay" via GW_CLIENT, don't want to miss this feature after upgrading to S/4 Hana 2021.

      Regards Hendrik