After reading this article you will know:

  • What CSRF is
  • How to protect your application from CSRF


Cross-Site Request Forgery (CSRF) is an attack that forces an (end) user to execute unwanted actions on a web application in which they're currently authenticated. Without protection an attacker could potentially submit data to the application through another user. (read more about CSRF)

CSRF protection

You can add a csrf_tag to your form to protect it. The CSRF tag generates a hidden <input> tag with a specific token which will be sent along to the POST to identify the POST request. This CSRF token ensures that the POST request came from your application, and not any other website or app.

Enabling CSRF protection on your webpage

You can check the checkbox Enable CSRF on your POST webpages to enable the CSRF protection. You will have to put #{{csrf_tag}} in the forms of your page template for this to work. Example:

[ ... ]

If you don't have the csrf_tag in your form you will most likely get the error:

Invalid CSRF (Cross Site Forgery Protection) token, make sure all requests include a '_csrf' param

If you do have the correct setup and still receive this message, you can try logging out and back in again to reset the token.

Did this answer your question?