Skip to content

Update XSJSCsrfDisabled #197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 27, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 21 additions & 17 deletions javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.md
Original file line number Diff line number Diff line change
@@ -1,33 +1,37 @@
# Disabled XSJS CSRF protection
# CSRF protection disabled in HANA XS application

A web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
This XS application is not protected against CSRF (cross-site request forgery) because it either disables the protection or fails to enable the protection explicitly.

## Overview

A web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, `XMLHttpRequest`, etc. and can result in exposure of data or unintended code execution.

## Recommendation

SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.
- In `XS Advanced` CSRF protection is enabled by default and should not be disabled.
- In `XS Classic` CSRF protection should be enabled explicitly.
SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.
- If `XS Advanced` is used, CSRF protection is configured with the `"csrfProtection"` property of `xs-app.json`. It is **enabled by default and should not be disabled.**
- If `XS Classic` is used, CSRF protection is configured with the `"prevent_xsrf"` property of `.xsaccess`. It is **disabled by default and should be enabled explicitly.**

## Example

The following `xs-app.json` fragment enables CSRF protection in XSJS.
The following `xs-app.json` fragment disables CSRF protection of the application it configures.

```json
"routes": [
{
"source": "/bad/(.*)",
"destination": "srv_api",
"csrfProtection": true,
...
}
]
{
"source": "/bad/(.*)",
"destination": "srv_api",
"csrfProtection": false,
...
},
...
}
]
```

## References

* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).
* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).
- SAP: [XS Advanced Application Router Configuration Syntax](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03#loioa9fc5c220d744180850996e2f5d34d6c__section_N101F7_N10016_N10001), relavant to XS Classic applications.
- SAP: [Application-Access File Keyword Options, prevent_xsrf](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.
- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).
- Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).
- OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).