BAD CSRF on user modification

Hi everyone,

we running in ["BAD CSRF"] Errors (403, Forbidden) at the moment.
Request with API-Key looks like:
Url: https://<domain>/u/tschuerle.json?api_key=<valid key>&api_username=tschuerle
Body: { "hide_profile_and_presence": true }
Method: PUT
Headers: "Content-Type" to "application/json"

According to the web-hook logs It worked until April. At the moment we are running the lastest stable version 2.5.0.

Usecase: Set profiles to private after user-creation via web-hook and let the user’s decide on their own, if they want to make their profile public.

Any hints?

Thanks,
Thomas

1 Like

API Keys now need to be set as headers instead of URL parameters. Check docs.discourse.org for details.

3 Likes

Oh, I missed that. It’s working with that
Thank you @Falco

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.