{"id":35606,"date":"2024-06-13T16:27:49","date_gmt":"2024-06-13T15:27:49","guid":{"rendered":"https:\/\/leogeracademy.hestia.wpspace.me\/help\/non-knowledgebase\/uncategorized\/csrf-prevention\/"},"modified":"2025-05-19T08:37:29","modified_gmt":"2025-05-19T07:37:29","password":"","slug":"csrf-prevention","status":"publish","type":"docs","link":"https:\/\/staging.churchtools.academy\/en\/help\/system-settings\/general-data-security-privacy\/csrf-prevention\/","title":{"rendered":"CSRF prevention"},"content":{"rendered":"\n<aside class=\"wp-block-group ct-box ct-box-blue has-background is-vertical is-layout-flex wp-container-core-group-is-layout-002f1c27 wp-block-group-is-layout-flex\" style=\"border-radius:8px;border-left-color:#3e70ce;border-left-width:0.5rem;background-color:#f3f5f7;margin-top:var(--wp--preset--spacing--60);margin-bottom:var(--wp--preset--spacing--60)\">\n<p style=\"margin-top:0.5rem;margin-right:0.5rem;margin-bottom:0rem;margin-left:0.5rem\"><strong>Hinweis<\/strong><\/p>\n\n\n\n<p style=\"margin-top:0rem;margin-right:0.5rem;margin-bottom:0.5rem;margin-left:0.5rem\">Relevant f\u00fcr alle, die die alte ChurchTools API nutzen.<\/p>\n<\/aside>\n\n<p>CSRF stands for <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/CSRF\">Cross-Site-Request-Forgery<\/a> and describes an attack in which unwanted actions are triggered via a user in order to abuse their rights. To prevent ChurchTools from being vulnerable to CSRF attacks, we have introduced a CSRF token. This must be sent as a header with all old API calls. Specifically, this applies to all <em>POST requests<\/em> that have the content type application\/x-www-form-urlencoded or <code>multipart\/form-data<\/code> set. We explain how to do this in this article.    <\/p>\n\n<p>After you have logged in, you call up the API <code>\/api\/csrftoken<\/code> to get the token. You then send this token as a header with every subsequent API request. The header looks like this:  <\/p>\n\n<p><code>CSRF-Token: $MEIN_TOKEN<\/code><\/p>\n\n<aside class=\"wp-block-group ct-box ct-box-blue has-text-color has-background has-link-color wp-elements-74648fa9a9506de5179716347194bc98 is-vertical is-layout-flex wp-container-core-group-is-layout-002f1c27 wp-block-group-is-layout-flex\" style=\"border-radius:8px;border-left-color:#e7c000;border-left-width:0.5rem;color:#3f3400;background-color:#ffe5644d;margin-top:var(--wp--preset--spacing--60);margin-bottom:var(--wp--preset--spacing--60)\">\n<p style=\"margin-top:0.5rem;margin-right:0.5rem;margin-bottom:0rem;margin-left:0.5rem\"><strong>Warnung<\/strong><\/p>\n\n\n\n<p style=\"margin-top:0rem;margin-right:0.5rem;margin-bottom:0.5rem;margin-left:0.5rem\">Aktuell l\u00e4sst sich die \u00dcberpr\u00fcfung des CSRF-Tokens noch in den System-Einstellungen deaktivieren. Wir empfehlen dir aber dringend, das nicht zu tun, da es sich hierbei um ein Sicherheitsrisiko handelt. <br><br>Diese Option wird in einer der zuk\u00fcnftigen Versionen entfallen und die \u00dcberpr\u00fcfung des CSRF-Token wird dann immer aktiv sein.<\/p>\n<\/aside>\n","protected":false},"excerpt":{"rendered":"<p>CSRF stands for Cross-Site-Request-Forgery and describes an attack in which unwanted actions are triggered via a user in order to abuse their rights. To prevent ChurchTools from being vulnerable to CSRF attacks, we have introduced a CSRF token. This must be sent as a header with all old API calls. Specifically, this applies to all [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"doc_category":[431],"doc_tag":[],"knowledge_base":[425],"class_list":["post-35606","docs","type-docs","status-publish","hentry","doc_category-general-data-security-privacy","knowledge_base-system-settings"],"acf":[],"year_month":"2026-05","word_count":114,"total_views":"137","reactions":{"happy":"0","normal":"0","sad":"0"},"author_info":{"name":"Jasper Stehmeier","author_nicename":"jstehmeier","author_url":"https:\/\/staging.churchtools.academy\/en\/author\/jstehmeier\/"},"doc_category_info":[{"term_name":"General","term_url":"https:\/\/staging.churchtools.academy\/en\/help\/system-settings\/general-data-security-privacy\/"}],"doc_tag_info":[],"knowledge_base_info":[{"term_name":"System Settings","term_url":"https:\/\/staging.churchtools.academy\/en\/help\/system-settings\/","term_slug":"system-settings"}],"knowledge_base_slug":["system-settings"],"_links":{"self":[{"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/35606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/comments?post=35606"}],"version-history":[{"count":1,"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/35606\/revisions"}],"predecessor-version":[{"id":35607,"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/35606\/revisions\/35607"}],"wp:attachment":[{"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/media?parent=35606"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/doc_category?post=35606"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/doc_tag?post=35606"},{"taxonomy":"knowledge_base","embeddable":true,"href":"https:\/\/staging.churchtools.academy\/en\/wp-json\/wp\/v2\/knowledge_base?post=35606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}