0 votes


I have a trouble with the openUrlSecure POST request.

I check with postman and i got a 200 ok response but with openUrlSecure I got: Unauthorized : CSRF validation failed from the server. statuscode 401.

my code:

function test1() {
    var headers = TStringList.Create;
    try {
        headers.Add('Content-Type: application/json; charset=utf-8');
        headers.Add('X-CSRF-Token: XXX');

        var data = JSON.stringify({ "username": "XX", "password": "XXX"});
        var openURLResult  = Efficy.openUrlSecure("https://myPath/login.json", data, headers.Text, "POST");

    } catch(e){
    finally {
    return openURLResult.statusCode;

To get the token run a similar function with no data and no token header and it work fine.

asked in Partners by (182 points)

3 Answers

+1 vote
Best answer

Be sure the header from the token is correct:

  1. Double check the casing
  2. Maybe the token itself should be passed as a string between double quotes, e.g. "XXX"

Like this:

headers.Add('X-CSRF-Token: "XXX"');

Instead of using the TStringList, you could also stay native JS and work with an array:

headers = ['Content-Type: application/json; charset=utf-8', 'X-CSRF-Token: "XXX"'].join("\n");

answered by (7.3k points)
selected by
Did you find the source of the issue?
It would be great of you can share the solution. I've got the same issue when I have to add multiple header-items:
var headersText = ['Content-Type: application/json', 'X-CSRF-Token: 2icDv1VHt21RYUiCjRI3xumpcPe2vvnZ187z61QbUXU'].join("\n");

So how to pass more than one header in the request?
+1 vote


I advise you to run these 2 requests (1 with postman, 1 with your script) on your local server (in http) and see with Wireshark what are the differences between them.

Alternatively, you can run these 2 requests on a "request bin" (ex : http://requestbin.fullcontact.com) and compare the results.



answered by (663 points)
0 votes

I still have issues using openUrlSecure or openURL2. Both on the same issue: passing multiple headers. If I use postman it works immediately, but using (Efficy)javascript does not work. Any ideas?

answered by (219 points)
It does work with the newline \n separation. I just tested it again and included also a 5th use case in the openUrlSecure tutorial. It demonstrates an example with form-data post and multiple headers.

Hi Kristof,

Thanks for your input. In the mean time I found out that the issue has to do with passing cookies. What I'm trying to do:
- post a login request (this works)
- use the result with a token and cookie for the next post request
The problem is passing the cookie. When using Postman or similar programs, this works perfectly, but somehow this does not work using a server side script.  Do you have any experience with this?
No, I don't have experience with set-cookie headers and openUrlSecure. I'll make another use case for that. I'll make a script that logs on to the Efficy /admin console and scrapes some info from the active sessions.
That would be great, thanks!
It seems that cookies are automagically handled by openUrlSecure, just like Postman and SoapUI do. I tested the scraping of the Efficy console from a SchedulerAdmin and that worked out of the box.
Try the 6th use case and see if that also works for your version and for instance from ServerJS.
Welcome to Efficy Overflow, where you can ask questions and receive answers from other members of the community.
1,231 questions
1,500 answers
328 users