POST request and X-CSRF token

[iloginov]

I got Invalid anti-forgery token when make POST request. Most simple way of avoiding that I found on the net is use Selmer as templating engine:

<script type=javascript> 
  var csrf = "{{csrf-token}}"; 
</script> 

or disable :anti-forgery in site-defaults as described here.

I'm wonder if there is simple way to make POST request and do not disable anti-forgery.

Thx.

[yogthos]

You do have to explicitly include the token, if you're using Hiccup then you can use (ring.util.anti-forgery/anti-forgery-field) in the form. It will create the necessary HTML field for validation.

[Conaws]

@yogthos can you illustrate this with an example...

What do you mean by 'the form'? What if the post request is coming from a reagent element that isn't inside a form per-se?

basically, how would one place this into the hiccup template above (taken from your book)

{% extends "base.html" %} {% block content %} <input id="token" type="hidden" value="{{csrf-token}}">

[yogthos]

If you're doing an ajax post from ClojureScript, then you need to add a csrf header. You can take a look here for an example. The code there uses the cljs-ajax library and creates an interceptor that will inject the header for each request. The js/csrfToken variable has to be generated on the page.