Hi Seyed,
As per this document on CSRF tokens Cross-Site Request Forgery Protection - SAP Gateway Foundation (SAP_GWFND) - SAP Library , there are two possible scenarios:
1. A CSRF token is only generated after authentication on the server. Therefore, modifying operations for public services that do not require authentication, are not supported by the CSRF token-based protection.
You need to check whether any username/password in harcoded in the SICF node. If it is hardcoded, please remove the credentials.
2. Cookies must be sent back to the server. HTTPS must be used if the server sends secure cookies.
Applicable for modifying requests with HTTP: If the HTTP status code 403 (forbidden) is displayed together with the information that a valid CSRF token is required, check that the profile parameterlogin/ticket_only_by_https is set to 0 (false) and not 1 (true) in transaction Maintain Profile Parameters (RZ11). By setting the value of this profile parameter to 0, you can enable the use of cookies for HTTP.
Regards,
Ekansh