Adobe Experience Manager Sites & More

Murali__D · 6/19/25

Hi Team,

Quick and urgent query:
In my project, all POST APIs are working fine and returning a success response without passing a CSRF token.

Is this the expected behavior in the publish instance, or should it return a 403 error if the CSRF token is missing? Which one is correct?

I do not want any POST call to succeed without a valid CSRF token.

How can I enforce this properly in the publish environment?

PUBLISH Config

Can you please provide me a fix asap?

Thank you

Murali__D · 6/19/25

And on the author instance, the same POST requests return 403 Forbidden when the CSRF token is not provided

giuseppebag · 6/20/25

Is this occurring for all POST requests or just some? Are the calls out of the box or custom that you've written?

Murali__D · 6/20/25

Hello @giuseppebag , Thank you for commenting , It's accurring for all POST calls on publish instances

arunpatidar · 6/20/25

Hi @Murali__D

AEM requires a valid CSRF token to be sent for authenticated POST, __PUT, or DELETE HTTP requests to both AEM Author and Publish services.

The CSRF token is not required for GET requests, or anonymous requests.

Do you have AEM authentication/CUG on publisher as well?

Arun Patidar

kautuk_sahni · 6/23/25

@Murali__D Did you find the suggestions helpful? If you need more information, please let us know. If a response resolved your issue, kindly mark it as correct to help others in the future. Alternatively, if you discovered a solution on your own, we'd appreciate it if you could share it with the community. Thank you.

Kautuk Sahni

Murali__D · 6/23/25

Hey @kautuk_sahni , I could not find any solution for this. I need to enforce the CSRF token for POST request calls in publish instanses I mean live servers. How can I do this?

Adobe Experience Manager Sites & More

Urgent: POST APIs Working Without CSRF Token in Publish Instance

Arun Patidar

Kautuk Sahni

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe