HTTP 400 – Bad Request - Multisite

[maartenheideman]

In a mulisite environment with multiple domains I'll get an error 'HTTP 400 – Bad Request' when try to send a form. Unable to verify your data submission. On the primary site it works like a charm on the others I'll get the error. What could this be?

this are my htaccess settings:

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline' data: filesystem: about: blob: ws: wss:;"
    Header always set X-Xss-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin"
    Header always set Feature-Policy "camera 'self'; payment 'self'; microphone 'self';"

    # Live preview across domains
    Header set Access-Control-Allow-Origin "https://www.primarysite.nl"
    Header set Access-Control-Allow-Credentials true
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On
    # Force ssl
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

   # Force www
    RewriteCond %{HTTP_HOST} ^primarysite.nl [NC]
    RewriteRule ^(.*)$ https://www.primarysite.nl/$1 [L,R=301,NC]
    RewriteCond %{HTTP_HOST} ^secondarysite.nl [NC]
    RewriteRule ^(.*)$ https://www.secondarysite.nl/$1 [L,R=301,NC]
</IfModule>

I'll work with an form include like this:

{% include "_includes/form" with { formId: form.id, formRedirect: '', formSubmitLabel: 'submit' } %}

include file:

{% if formId is defined %}
    {% macro errorList(errors) %}
        {% if errors %}
            <ul class="form__errors">
                {% for error in errors %}
                    <li>{{ error }}</li>
                {% endfor %}
            </ul>
        {% endif %}
    {% endmacro %}
    {% from _self import errorList %}
    {% set form = wheelform.form({
        id: formId,
        refreshCsrf: true,
        redirect: (formRedirect is defined)? formRedirect : '',
        submitButton: {
            label: (formSubmitLabel is defined) ? formSubmitLabel : 'submit'|t,
            attributes: {
                class: 'button button--primary'
            }
        }
    }) %}
    {{ form.open() }}
    {{ wheelformErrors['form'] is defined ? errorList(wheelformErrors['form']) }}
    {{ wheelformErrors['recaptcha'] is defined ? errorList(wheelformErrors['recaptcha']) }}
    {{ wheelformErrors['honeypot'] is defined ? errorList(wheelformErrors['honeypot']) }}
    {% for field in form.fields %}
        {{ field.render() }}
        {{ wheelformErrors[field.name] is defined ? errorList(wheelformErrors[field.name]) }}
    {% endfor %}
    {{ form.close() }}
{% endif %}```

[maartenheideman]

When set enableCsrfProtection to false, submissions works from al domains works. But set enableCsrfProtection to false is not desirable, in my opinion?

[xpertbot]

You are correct we don't want to turn off csrf, I will test it with a multisite setup whenever I have some downtime

[xpertbot]

I just tested this on a local setup using a multisite, and it's working correctly. Are you sure it's the multisite setup and not some type of caching plugin? I say this because that's very common, caching an old token and then invalidating the request. Disable any caching plugin you might have install and test the form on all domains without it. Let me know what you find.

[maartenheideman]

In the general config I’ll set ‘enableTemplateCaching’ to true. Could that be the problem?

[xpertbot]

turn it off and see if it works without caching. just troubleshoot until we find the cause of the problems. Then we can solve it.

[maartenheideman]

enableCsrfProtection was not the problem. Turns out the problem was the defaultCookieDomain I'll set up because of the live preview is the problem As suggested here: https://craftcms.com/knowledge-base/using-live-preview-across-multiple-subdomains. As soon as I'll remove that line it works.