Concept and Need:
A CSRF token is a unique, secret, and unpredictable value that is generated by the server side and transmitted to the client to prevent CSRF attacks. The client includes the token in every subsequent modifying (create, update, and delete) request. The server-side application validates the request and rejects, if the expected token is missing, invalid, or expired. This protects the application from unauthorised modification of the database by a malicious entity.
Most SAP APIs have X-CSRF enabled for the create, update and delete operations to protect the APIs against CSRF attacks. As a part of this feature, we are providing the option to capture an action as X-CSRF relevant. Since GET requests do not change the state of a database, X-CSRF capability cannot be configured for a GET action.
Steps to configure the token fetch endpoint for an action:
1. Choose Enable X-CSRF from the overflow menu. This option will only be available for database modifying operations (POST, PUT, PATCH, DELETE).
After the token fetch endpoint is configured, it will appear on the top right hand corner of the action details section as shown below.
2. Enable X-CSRF dialog opens. In most cases, the endpoint to fetch the X-CSRF token is the same as the endpoint that needs to be called for a modifying action, hence it is shown in the dialog by default. Enter the desired value for the token fetch endpoint and press Enable.
Note: In certain cases, the GET call to the token fetch endpoint can return a huge response. We suggest adding $top = 1 to the endpoint or just having / in such cases. E.g., the endpoint can be /A_BusinessPartner?$top=1 or /.
3. To update the token fetch endpoint, choose Update X-CSRF from the overflow menu.
4. Update X-CSRF dialog opens. Enter the new value for the token fetch endpoint and press Update.
5. To disable X-CSRF, click on Remove. The Remove X-CSRF dialog will show up. Click on Remove X-CSRF to disable the functionality for the given action.
Note: It is possible to disable/enable CSRF at the destination level e.g., X-CSRF could be enabled in the production environment but disabled in the development environment. To achieve this, we need to add a boolean property sap.lcnc.fetchXcsrf under the Additional Properties section of the destination configuration and set its value to true/false.
Thanks for reading and I hope it helped to understand the concept of configuring X-CSRF using Actions Editor. Please feel free to leave a comment if there are any questions and I would be happy to receive any feedback.