Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passing a CSRF token in the request header #70

Closed
fdeage opened this issue May 30, 2020 · 11 comments
Closed

Passing a CSRF token in the request header #70

fdeage opened this issue May 30, 2020 · 11 comments

Comments

@fdeage
Copy link

fdeage commented May 30, 2020
edited

Hey, really like HTMX, nice job!
However I can't figure out how to pass my CSRF token in the request headers (or to actually configure headers at all).

It's strange because I used intercooler before, and I never had a missing CSRF token...

EDIT: I'm using Elixir/Phoenix
@1cg
Copy link
Contributor

1cg commented May 30, 2020

Hi There,

Huh, seems like it should "just work" with rails forms, unless we aren't including hidden inputs properly....

@rschroll
Copy link
Contributor

If you're not using form submissions, you can insert the CSRF token into all htmx requests with a bit of JS. Here's what I have in a Django template:

document.body.addEventListener('configRequest.htmx', (event) => {
    event.detail.headers['X-CSRFToken'] = '{{ csrf_token }}';
})

@fdeage
Copy link
Author

fdeage commented May 31, 2020

Thanks for your reply.
It's weird but this event is never triggered...

@rschroll
Copy link
Contributor

rschroll commented Jun 1, 2020

I'm afraid the best advice I can give is to enable logging (https://htmx.org/docs#events). This may help us see if the events are getting gobbled up by some other handler.

Maybe someone else has more insight.

@1cg
Copy link
Contributor

1cg commented Jun 10, 2020

Hey fdeage, I have added another plugin that does something similar to what you want here:

2305aed

That code should definitely work for what you are trying to do.

@1cg 1cg closed this as completed Jun 10, 2020
@fdeage
Copy link
Author

fdeage commented Jun 17, 2020

Thanks @chg20, I'll give it a try!

@mblayman
Copy link

mblayman commented Feb 6, 2021

For readers as of 2021, I followed @rschroll's suggestion, but the event is renamed in the version that I'm using (1.1.0 at the time of this comment):

document.body.addEventListener('htmx:configRequest', (event) => {
  event.detail.headers['X-CSRFToken'] = '{{ csrf_token }}';
})

Thanks @rschroll!

@srkunze
Copy link
Contributor

srkunze commented Feb 9, 2021
edited

@mblayman For Django, I just wanted to add, this code snippet should be placed at the end of body (at least it didn't work for me when placed in head after xhtm.js loading).

@sasha-co
Copy link

For readers as of 2021, I followed @rschroll's suggestion, but the event is renamed in the version that I'm using (1.1.0 at the time of this comment):

document.body.addEventListener('htmx:configRequest', (event) => {
  event.detail.headers['X-CSRFToken'] = '{{ csrf_token }}';
})

Thanks @rschroll!

It probably should be X-CSRF-Token instead of X-CSRFToken, but the idea is there and it works.

@zachbellay
Copy link

For any future readers, I was running into a problem where I was using hx-delete and got Forbidden (CSRF token missing or incorrect.): even with @rschroll 's code snippet. It turns out I just needed to move it to the bottom of my base.html file after all other content. I am using Django 3.2, htmx 1.1.0.

@srkunze
Copy link
Contributor

srkunze commented Oct 26, 2021

@1cg would it make sense to add a sentence or two to the docs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rschroll @1cg @mblayman @srkunze @fdeage @sasha-co @zachbellay