Bad csrf token when making api request


(Liam McArdle) #1

I am trying to make a POST request to add a new post, however I am getting a ‘BAD CSRF’ error. My understanding is that API requests are supposed to be checked for a CSRF token if my request contains the api key. Here is my request and associated response…am I missing something?

curl -v 'http://localhost:3000' --data 'raw=This+is+the+new+body+of+the+topic&category=4&title=Sample+New+Topic' -H 'api_key:myLongAPIKey' -H 'api_username:myusername'

Response:

* upload completely sent off: 101 out of 101 bytes
< HTTP/1.1 403 Forbidden
* Server nginx is not blacklisted
< Server: nginx
< Date: Tue, 16 Sep 2014 23:20:16 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 403 Forbidden
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Request-Id: 9177c562-77f8-45bb-bbd0-502bad52e020
< X-Runtime: 0.074701
< Set-Cookie: __profilin=p%3Dt; path=/
<
* Connection #0 to host localhost:3000 left intact
['BAD CSRF']

Http trace for a post
(Kane York) #2

api_key and api_username are POST parameters, not headers.


Http trace for a post