Limitations when Configuring CSRF Guard in Integration Server
When you enable or disable CSRF guard in
Integration Server, you must refresh the web browser.
You cannot use the CSRF guard feature if your
Integration Server runs as part of a non-clustered group of
Integration Servers in which the ISInternal functional alias on each server points to the same database.
Integration Server does not insert CSRF secure tokens in custom DSP pages that use JavaScript Location object, such as document.location and window.location.href. You must update these pages manually.
You do not have to define the JavaScript variables _csrfTokenNm_, _csrfTokenVal_, is_csrf_guard_enabled, and needToInsertToken. But, you must import Integration Server_directory \instances\instance_name\packages\WmRoot\csrf-guard.js to your DSP before using these variables.
Integration Server inserts CSRF secure tokens in the links in DSPs only if these links point to a DSP. If these links do not point to a DSP, you must update these links manually to include the CSRF secure tokens.
For example, if you have the following code in your DSP:
<a href="/invoke/wm.sap.Transaction/viewAs?type=xml</a>
You must replace it with the following code:
<a href="/invoke/wm.sap.Transaction/viewAs?type=xml&secureCSRFToken=%value secureCSRFToken%"></a>
For more information about using CSRF guard in DSPs, see
Dynamic Server Pages and Output Templates Developer’s Guide
Securing DSPs Against CSRF Attacks.