Handle Outsystems-Request-Token and X-CSRF-Token automated scans

Hi. We have developed a simple outsystems application. I Could see that there two request headers. Outsystems-Request-Token and X-CSRF-Token.

I have also read official documentation about these two headers on outsystems blog.

My query here is how to handle these two request headers in automated scripts? Do these headers have any dependency while doing any of the automated scan?

Thanks in advance.


Hi Bharath,

OutSystems uses a common anti forgery method for HTTP posts.

You will notice that after login the X-CSRFToken changes. In your automated scan you need to retrieve the token in the login response from part of a cookie, decode it and send it in the X-CSRFToken header for any further POSTs.

I hope this helps.

Kind regards,


Hi @Stuart Harris It helped. Thanks for your response. 

@Stuart Harris how are we going to decode it when we receive it as part of the cookies from the Login response. Also are we going to send it in the header for subsequent posts, encoded again as we received it or decoded?


The cookie data is URL encoded, Yes you need to send it back in the header decoded.

Kind regards,


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.