Configuring X-CSRF using Actions Editor
Concept and Need:
A CSRF token is a unique, secret, and unpredictable value that is generated by the server side and transmitted to the client to prevent CSRF attacks. The client includes the token in every subsequent modifying (create, update, and delete) request. The server-side application validates the request and rejects, if the expected token is missing, invalid, or expired. This protects the application from unauthorised modification of the database by a malicious entity.
Most SAP APIs have X-CSRF enabled for the create, update and delete operations to protect the APIs against CSRF attacks. As a part of this feature, we are providing the option to capture an action as X-CSRF relevant. Since GET requests do not change the state of a database, X-CSRF capability cannot be configured for a GET action.
Actions Editor – Feature List, Usage and Maintenance of Actions Project
Steps to configure the token fetch endpoint for an action:
1. Choose Enable X-CSRF from the overflow menu. This option will only be available for database modifying operations (POST, PUT, PATCH, DELETE).
After the token fetch endpoint is configured, it will appear on the top right hand corner of the action details section as shown below.
2. Enable X-CSRF dialog opens. In most cases, the endpoint to fetch the X-CSRF token is the same as the endpoint that needs to be called for a modifying action, hence it is shown in the dialog by default. Enter the desired value for the token fetch endpoint and press Enable.
Note: In certain cases, the GET call to the token fetch endpoint can return a huge response. We suggest adding $top = 1 to the endpoint or just having / in such cases. E.g., the endpoint can be /A_BusinessPartner?$top=1 or /.
3. To update the token fetch endpoint, choose Update X-CSRF from the overflow menu.
4. Update X-CSRF dialog opens. Enter the new value for the token fetch endpoint and press Update.
5. To disable X-CSRF, click on Remove. The Remove X-CSRF dialog will show up. Click on Remove X-CSRF to disable the functionality for the given action.
Note: It is possible to disable/enable CSRF at the destination level e.g., X-CSRF could be enabled in the production environment but disabled in the development environment. To achieve this, we need to add a boolean property sap.lcnc.fetchXcsrf under the Additional Properties section of the destination configuration and set its value to true/false.
Thanks for reading and I hope it helped to understand the concept of configuring X-CSRF using Actions Editor. Please feel free to leave a comment if there are any questions and I would be happy to receive any feedback.
- Part 1 of the Blog Series: The New Actions Project – Major Changes including the Actions Editor Available Now !! | SAP Blogs
- Part 2 of the Blog Series/Parent Blog: Actions Editor – Feature List, Usage and Maintenance of Actions Project
I create a new oData on SAP onPrem with SEGW and all works fine with Postman.
I used this resourse to convert $metadata into openAPI3 json to upload into Build PA when I created my action.
The import seems correctly and I can do GET calls, but option Enable X-CSRF is missing.
Is there any parameter to add into SEGW or openAPI json to enable this options?
The options has been moved into Project Setting.
In order to be able to call the service with the CSRF token from a process it is necessary to enter the complete path in the Token Fetch End Point field
E.g.: If the Resource Path is
in the Token Fetch End Point you need to write
Now I have another issue:
In my destination I defined property sap.lcnc.fetchXcsrf = true.
Following can be the reasons behind the error you are facing:
We have made some changes in our error messages to differentiate between the cases 1 and 2. Could you run the action again and post the error message in the reply? This will help in analysing the issue further.
I try to explain me better.
I created an action to store data into a custom table in ECC on Premise and when I test this action (with defined destination), it works fine.
Instead, when i use the same action in a Process Automation, I have the error.
I tried to delete and re-create the BTP destination, but nothing changed.
The action into Process Automation has the same version release.
Thanks and Best regards,
Thank you for your response. I understand that the destination against which the action was executed exists in the BTP subaccount and the execution works perfectly in Action Editor.
Could you please confirm whether the destination was chosen before executing the action in Process Automation? If a destination is not chosen and the user proceeds with executing the action in Process Automation, in that case the following error will be thrown: