Csrf and postman

Hello! I am using postman to experiment with requests to a phoenix app. I get login credentials by submitting username and password. What I get back is a jwt token. This is how my front end app communicates with the phoenix app. I think I need to set the value of x-csrf-token in the headers. Setting it to “Bearer ey…J9.eyJ…biJ9.LBY…LWpI”, which is the returned jwt token, does not work.

The error message is

Plug.CSRFProtection.InvalidCSRFTokenError at POST /archive/1
invalid CSRF (Cross Site Request Forgery) token, make sure all requests include a valid ‘_csrf_token’ param or ‘x-csrf-token’ header

Many thanks in advance.

1 Like

This token is created and maintained by Phoenix through requests, and in:

pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug CORSPlug

The protect_from_forgery plug line is what checks that they match. It’s not the same as your JWT token.

In your case I assume you want to keep the CSRF protection (you have regular pages and not an API only backend) but at the same time you want to test it from an external program that just emits requests. In this case you can temporarily comment out the plug line in the router pipeline (which is fine if you remember to put it back and just want to try some quick test).

If you want to use this in tests more systematically then you can also [disable csrf for testing] purposes (https://hexdocs.pm/plug/Plug.CSRFProtection.html#module-disabling)


@amnu3387 I was in smilar situation as topic owner. I get a post request from a third party api. I created new pipeline without protect_from_forgery . Is that security issue?. Example of my controller.

	request =[
    processId: get_session(conn, :current_process_id),
        token: get_session(conn, :token)

    json_respond = MyApp.ThirdPartyApiCient.check_process(request)
    {:ok, respond } = JSON.decode(json_respond)

    if respond["status"] == "SUCCESS" do
1 Like

It’s very easy to see if it can be a security issue, just ask, “if I knew the route to where to direct a post request, along with a certain payload” would I be able to trigger it’s side effects? Then depending on the side-effects it will be or not a security issue.
If to make the request produce its side effects I require information that is temporary and changing in nature and not available to me (a JWT token, a session token, a payload signature) then it’s safe (up to a reasonable expectation) I would say


That is a callback path. I get process token from session. And after success status app deletes session. I dont take any paramater from params. Also can i handle that callback with default browser pipeline ?

Edit: i added "#{Plug.CSRFProtection.get_csrf_token]" end of callback now i use default browser pipeline. Thanks @amnu3387

Thanks so much …

I’ve put

key = x-csrf-token

in the Headers section of Postman, but still get the CSRF error … must be still doing something wrong.


how about when you pass as ‘_csrf_token’ param ?

Edit: I got same error when i created in command line. But when app creates in controller it works

Actually that wouldn’t work at all since there won’t be a session nor token for it to be matched. What I wrote earlier doesn’t make sense (printing the token in the console), since it will retrieve you another process csrf token (for the console process), which won’t match the process handling the incoming postman request.

Not having used Postman in this situation, I would imagine that you need to request the login, read the answer back and use that to further query your endpoint. You could pass the csrf token in the login response as well and then use that to set the header, along with your JWT, or encode it inside the JWT as well and forego the CSRF protection plug. (I never used JWT either but I think it’s how it’s done when you’re using JWT…). But sincerely, probably it’s just easier to disable the plug for testing…

@amnu3387 i added <%= Plug.CSRFProtection.get_csrf_token %> to my index page. I visited index page using postman. I tested nearly 20 tokens manually using postman again. But some of them working some of them not working. A bug ?

I have no idea

I digged more when a token includes + it doesnt work. for example


at error screen that token turns to that, plus dissappears
"HVIlKXk5eEYJby8uQW8dCTc ISkINgAAy9Ka2p45OWci27Y9uOIYDA=="

I a in a similar situation as this post owner. I have an API only app which has to produce the csrf token by get_csrf_token() and pass it on to angular app. Currently I am trying ot make a post request via Postman. I have set this token generated in header X-CSRF-Token or passing through parameter like _csrf_token. But always getting Invalid token InvalidCSRFTokenError.

For some reason, when you go through the API route, the _csrf_token key is missing from the session or set to the masked value. I don’t remember since has been a while since I had this problem. The way I made it work is create an endpoint where the app can get a new CSRF token and that endpoint sets the _csrf_token key in the session to the unmasked value

def show(conn, _) do
    csrf_token = Plug.CSRFProtection.get_csrf_token()

    |> fetch_session()
    |> put_session("_csrf_token", Process.get(:plug_unmasked_csrf_token))
    |> render("show.json", token: csrf_token)

The idea is that each time you create a new CSRF token, you put the masked value in the session. I hope this helps.

Thanks for your help.

I have put plug :protect_from_forgery in routes
and in some controller

def csrf_token(conn, _params) do
    csrf_token = Plug.CSRFProtection.get_csrf_token
    |> fetch_session()
    |> put_session("_csrf_token", Process.get(:plug_unmasked_csrf_token))
    |> put_view(MyAppWeb.APIV2.UserView)
    |> render("session_token.json", token: csrf_token)

For the first service request, it recognized the csrf token and worked properly.
But subsequent request it is getting the same Invalid CSRF token error.
Even I generated the new token, but not able to succeed.

Also please let me know, when this token will get cleared off, if it works in subsequent requests?

Please help on this.

I just tested it and it works as it should. I am not using Postman. I use Insomnia or RESTer for Firefox.

What I do is contact the token generating endpoint e.g.: http://localhost:4000/api/token which returns a json like

  "token": "VxIYVQMwHXIAAFcGISBcEBsRchA-AmAhcYZgkqp4mr6nNM2hhdBcxTUl"

I put that token in every request I want to make to the server in the x-csrf-token header and it works fine. If I contact again that endpoint it will return a new token and I will have to update the header in all the requests because the old token is now invalid.

Maybe there is some problem with the cookies, session or maybe the app contacts often the token endpoint and doesn’t update the requests header.

I would suggest you inspect the conn struct in the failing controller, once when it succeeds and once when it fails. Look under the req_headers key if there is any "x-csrf-token" tuple and if it’s value is the same both times.

Also check under the :private key for :plug_session => %{"_csrf_token" => "lfiUShv-j1sI5Q4z20k7B-WD"} and if the _csrf_token value remains the same.

I found the major difference in :private key for :plug_session.
For succeeding request it is :plug_session => %{"_csrf_token" => “dYmLXL3R1plGyrLaFjyriM2U”},
For failing request is is :plug_session => %{},

Also with Postman, atleast we are able to get the First response working.
With RESTer for chrome, none of the requests are recognizing the csrf token.