CSRF prevention

< 1 min read

CSRF stands for Cross-Site-Request-Forgery and describes an attack in which unwanted actions are triggered via a user in order to abuse their rights. To prevent ChurchTools from being vulnerable to CSRF attacks, we have introduced a CSRF token. This must be sent as a header with all old API calls. Specifically, this applies to all POST requests that have the content type application/x-www-form-urlencoded or multipart/form-data set. We explain how to do this in this article.

After you have logged in, you call up the API /api/csrftoken to get the token. You then send this token as a header with every subsequent API request. The header looks like this:

CSRF-Token: $MEIN_TOKEN

Aktualisiert am 19. May 2025
War diese Seite hilfreich für dich?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.