Urgent: POST APIs Working Without CSRF Token in Publish Instance | Community
Skip to main content
M
Murali__D
Level 2
June 19, 2025

Urgent: POST APIs Working Without CSRF Token in Publish Instance

  • June 19, 2025
  • 3 replies
  • 607 views

Hi Team,

Quick and urgent query:
In my project, all POST APIs are working fine and returning a success response without passing a CSRF token.

Is this the expected behavior in the publish instance, or should it return a 403 error if the CSRF token is missing? Which one is correct?

I do not want any POST call to succeed without a valid CSRF token.

How can I enforce this properly in the publish environment?

PUBLISH Config


Can you please provide me a fix asap?

Thank you

3 replies

M
Murali__DAuthor
Level 2
June 19, 2025

And on the author instance, the same POST requests return 403 Forbidden when the CSRF token is not provided

    giuseppebaglio
    giuseppebaglio
    Level 10
    June 20, 2025

    Is this occurring for all POST requests or just some? Are the calls out of the box or custom that you've written?

      M
      Murali__DAuthor
      Level 2
      June 20, 2025

      Hello @giuseppebaglio , Thank you for commenting , It's accurring for all POST calls on publish instances

      arunpatidar
      Community Advisor
      arunpatidarCommunity Advisor
      Community Advisor
      June 20, 2025

      Hi @murali__d 

       

      AEM requires a valid CSRF token to be sent for authenticated POST, __PUT, or DELETE HTTP requests to both AEM Author and Publish services.

      The CSRF token is not required for GET requests, or anonymous requests.

       

      Do you have AEM authentication/CUG on publisher as well?

      Arun Patidar
        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        June 23, 2025

        @murali__d Did you find the suggestions helpful? If you need more information, please let us know. If a response resolved your issue, kindly mark it as correct to help others in the future. Alternatively, if you discovered a solution on your own, we'd appreciate it if you could share it with the community. Thank you.

        Kautuk Sahni
        M
        Murali__DAuthor
        Level 2
        June 23, 2025

        Hey @kautuk_sahni , I could not find any solution for this. I need to enforce the CSRF token for POST request calls in publish instanses I mean live servers. How can I do this?

        Terms & ConditionsAccessibility statement

        Loading footer...