Kraken.js CSRF Handling
The trick is that you need to wrap your POST test inside a GET and parse the necessary CSRF token from the cookie.
Here's an example: https://stackoverflow.com/a/18776974/1935918
csrf in kraken is pretty much entirely handled by the csrf connect middleware (with the one addition being exposing the token to your views as _csrf
).
A little more information would go a long way (req/res headers at the least but an HAR would be awesome) but I can see a few ways this might happen:
- The csrf secret (not token, mind you) is being regenerated or removed some time between the initial
GET
and thePOST
. The only way this is possible is if the value stored as_csrfSecret
in the session is changed or deleted between requests. Make sure your session is working properly. One of the security headers is giving you grief. Try turning them off temporarily with something like the following in your
middleware-development.json
:{ "middleware": { "appsec": { "csp": false, "xframe": false, "p3p": false } } }