SAP Gateway CSRF Protection only works over HTTPS, not over HTTP

Question

Today I faced the problem that (suddenly) the SAP Gateway stopped acceppting CSRF tokens issued by himself.

Checked the network trace, everything is fine. The Client gets a token using GET Method and the HTTP Header

X-CSRF-Token: Fetch

receiving one, followed by an immediate POST request using the received Token and getting a 403 Forbidden status with response Body "CSRF Token could not be verified" (or similar)

iPirat · Accepted Answer · 2014-12-17T10:04:54.950

1

By default, the CSRF Protection is only enabled over HTTPS in SAP Netweaver Gateway. How to enable CSRF over HTTP (and why not to do so) is described in the following SAP Note:

1896961 - HTTP/HTTPS Configuration for SAP NetWeaver Gateway

The important bit of the Note:

... set the instance profile parameter login/ticket_only_by_https to 0...

edited Dec 17 '14 at 10:04

answered Dec 17 '14 at 09:12

iPirat

2,197
1
17
30

SAP Gateway CSRF Protection only works over HTTPS, not over HTTP

1 Answers1