Kraken.js CSRF Handling

Actually, your problem is that you have:

<input type="hidden" name="_crsf" value="<%= _csrf %>" />

instead of:

<input type="hidden" name="_csrf" value="<%= _csrf %>" />

Note the typo in the name attribute.

The trick is that you need to wrap your POST test inside a GET and parse the necessary CSRF token from the cookie.

Here's an example: https://stackoverflow.com/a/18776974/1935918

csrf in kraken is pretty much entirely handled by the csrf connect middleware (with the one addition being exposing the token to your views as _csrf).

A little more information would go a long way (req/res headers at the least but an HAR would be awesome) but I can see a few ways this might happen:

1. The csrf secret (not token, mind you) is being regenerated or removed some time between the initial GET and the POST. The only way this is possible is if the value stored as _csrfSecret in the session is changed or deleted between requests. Make sure your session is working properly.

2. One of the security headers is giving you grief. Try turning them off temporarily with something like the following in your middleware-development.json:

   {  "middleware": {    "appsec": {      "csp": false,      "xframe": false,      "p3p": false    }  } }