CSRF Tokens
A CSRF (Cross Site Request Forgery) Token is a secret, unique and unpredictable value that server-side application generates in order to protect CSRF vulnerable resources. The tokens are generated and submitted by the server-side application in a subsequent HTTP request made by the client.
Card developers describe the CSRF tokens in the configuration/csrfTokens
subsection of the manifest.
These tokens can be referred inside a data request using a binding syntax like
{csrfTokens>/myCSRFToken/value}
.
CSRF Token Properties
Property | Type | Required | Description | Schema Version | Since |
---|---|---|---|---|---|
data | Data | Yes |
Data request to obtain the token.
Note: By default the token will be taken from the X-CSRF-Token response header.
|
1.38.0 | 1.97 |
CSRF Tokens Model
The following values are available for every CSRF token and can be used in data requests:
Path | Description | Schema Version | Since |
---|---|---|---|
{csrfTokens>/keyOfTheToken/value} | The value of the token. | 1.62.0 | 1.121 |
Note: The syntax {{csrfTokens.myCSRFToken}} is deprecated as of version 1.121.0.
Example
An example with a card which fetches data and uses CSRF Tokens:
"sap.card": { "type": "List", "configuration": { "destinations": { "ProductsMockServerWithCSRF": { "name": "ProductsMockServerWithCSRF", "label": "Products Mock CSRF", "defaultUrl": "/getDataWithCSRF" } }, "csrfTokens": { "token1": { "data": { "request": { "url": "{{destinations.ProductsMockServerWithCSRF}}/Token", "method": "HEAD", "headers": { "X-CSRF-Token": "Fetch" } } } } } }, "data": { "request": { "url": "{{destinations.ProductsMockServerWithCSRF}}/Products", "parameters": { "$format": "json" }, "method": "GET", "headers": { "X-CSRF-Token": "{csrfTokens>/token1/value}" } }, "path": "/data" }, "header": { "title": "Products", "subTitle": "Weight Information", "icon": { "src": "sap-icon://product" } }, "content": { "item": { "title": "{Name}", "info": { "value": "{= format.unit(${Weight}, ${WeightUnit})}" } }, "maxItems": 4 } }Try it Out