TechQA.

SAP Gateway CSRF Protection only works over HTTPS, not over HTTP

3.1k views Asked by At

Today I faced the problem that (suddenly) the SAP Gateway stopped acceppting CSRF tokens issued by himself.

Checked the network trace, everything is fine. The Client gets a token using GET Method and the HTTP Header

X-CSRF-Token: Fetch

receiving one, followed by an immediate POST request using the received Token and getting a 403 Forbidden status with response Body "CSRF Token could not be verified" (or similar)

https csrf sap-gateway
Original Q&A
1

There are 1 answers

0
iPirat On BEST ANSWER

By default, the CSRF Protection is only enabled over HTTPS in SAP Netweaver Gateway. How to enable CSRF over HTTP (and why not to do so) is described in the following SAP Note:

1896961 - HTTP/HTTPS Configuration for SAP NetWeaver Gateway

The important bit of the Note:

... set the instance profile parameter login/ticket_only_by_https to 0...

Related Questions in HTTPS

Related Questions in CSRF

Related Questions in SAP-GATEWAY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions