GET and POST CSRF Token internally using policies in SAP APIM
This blog post describes how to call CSRF token internally and post the token in headers using policies in SAP API Management
What is CSRF and what happens if we don’t pass?
CSRF stands for cross site request forgery is a secure token that is used to prevent CSRF attacks. csrf Token is required when ever you are going modify data in backend.
If backend accepts request with out csrf token then there is high chance for the attackers to do calls behalf of user.
you may get error like CSRF validation failed in response when ever you are calling API with methods such as POST ,PATCH ,DELETE. This is because either you are not passing csrf token in headers or passing invalid token
How to Get the token and Pass it to backend?
Generally if we want to get the token we have to pass x-csrf-token and value as fetch in headers for GET API. After successful call we can see CSRF token in response headers. We can copy that token and send it to backend as headers for POST API
- Subscribe to integration suite and assign all roles to your ID.
- Create API with endpoint as /csrf and also create one more endpoint with any of these methods(POST/PATCH/DELETE)
Note: You can create endpoints by giving paths in swagger
How to Get the token and Pass it to backend using policies in SAP APIM?
- Go to the policies and select any endpoint in left side
- Add Service Callout policy and mention your csrf API path in local target connection tag in the policy
var csrf = context.getVariable(“calloutResponse.header.x-csrf-token.values.string”) + “”;
var responsecookies = context.getVariable(“calloutResponse.header.set-cookie.values.string”);
Note: If you get csrf validation failed error even though you are passing valid token then try to pass both csrf token and cookies
- After getting the token and cookies add assign message policy with type as request and add csrf and cookies as request headers
Note: If the endpoint supports both GET and POST calls then you can mention in condition string as verb != GET
This is how we deal csrf token internally by using policies in SAP APIM. So that user no need to call csrf token and post that to backend manually.
Follow my profile to be notified of the next blog post. Please feel free to ask any questions you have in the comments section below.
In the next blog I will explain about how to cache CSRF token using lookup and populate cache policies.
Hope you liked my first blog 🙂
Hi Korlam Venkata Ramana Sai Charan,
Great blog post! I see that you mention an old name in your blog post. Would you mind updating the old name(s)/acronyms listed below with their correct name(s)?
- 'SAP APIM' with SAP API Management
Your contribution will greatly help other community members who might not be familiar with the old names/acronyms of the current products.