Expand my Community achievements bar.

Join expert-led, customer-led sessions on Adobe Experience Manager Assets on August 20th at our Skill Exchange.
Register Now

Urgent: POST APIs Working Without CSRF Token in Publish Instance

Avatar

Level 2
Level 2
6/19/25 9:57:07 AM

Hi Team,

Quick and urgent query:
In my project, all POST APIs are working fine and returning a success response without passing a CSRF token.

Is this the expected behavior in the publish instance, or should it return a 403 error if the CSRF token is missing? Which one is correct?

I do not want any POST call to succeed without a valid CSRF token.

How can I enforce this properly in the publish environment?

PUBLISH Config

Murali__D_0-1750352192973.png


Can you please provide me a fix asap?

Thank you

Views

261

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
6 Replies

Avatar

Level 2
Level 2
6/19/25 10:00:52 AM

And on the author instance, the same POST requests return 403 Forbidden when the CSRF token is not provided

Views

255

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 9
Level 9
6/20/25 12:36:47 AM
In response to Murali__D

Is this occurring for all POST requests or just some? Are the calls out of the box or custom that you've written?

Views

208

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/20/25 12:58:18 AM
In response to giuseppebag

Hello @giuseppebag , Thank you for commenting , It's accurring for all POST calls on publish instances

Views

201

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/20/25 12:54:01 AM

Hi @Murali__D 

 

AEM requires a valid CSRF token to be sent for authenticated POST, __PUT, or DELETE HTTP requests to both AEM Author and Publish services.

The CSRF token is not required for GET requests, or anonymous requests.

 

Do you have AEM authentication/CUG on publisher as well?

Arun Patidar

AEM LinksLinkedIn

Views

206

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
6/23/25 3:12:22 AM

@Murali__D Did you find the suggestions helpful? If you need more information, please let us know. If a response resolved your issue, kindly mark it as correct to help others in the future. Alternatively, if you discovered a solution on your own, we'd appreciate it if you could share it with the community. Thank you.



Kautuk Sahni

Views

143

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/23/25 3:39:48 AM
In response to kautuk_sahni

Hey @kautuk_sahni , I could not find any solution for this. I need to enforce the CSRF token for POST request calls in publish instanses I mean live servers. How can I do this?

Views

129

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Just Launched: A new AEM User Group for AEM practitioners in London

Views

43

Likes

0

Replies

0
I want to know how to set up the SAML certificate file in the Publish tier and Preview tier.

Views

151

Likes

0

Replies

2
AEM Forms brings Interactive Communication to Cloud Services – now in Early Access

Views

157

Likes

5

Replies

0
How to Capture Tag Edit, Merge, and Delete Events in AEM?

Views

206

Likes

0

Replies

3
Universal Editor: Conditional fields now break editor (previously working schema crashes)

Views

129

Likes

0

Replies

0