-
Notifications
You must be signed in to change notification settings - Fork 357
HTTP 403 forbidden when accessing API endpoints
This may be caused by crumb
, a CSRF mitigation tool.
We're using crumb
, which helps diminish CSRF attacks. You'll get a new CSRF token (via cookies) on each response from the server. The front-end code looks for this token and passes it back to the server via the X-CSRF-Token
header with each request made to the server.
This does make it harder to interact with the API manually, or via apps like Postman since you have to do that dance of finding the token from the cookie header and passing it token back via the X-CSRF-Token
header with your next request.
Possible solutions:
- You could disable
crumb
by removing it from themanifest.js
file. - If you only want to disabled
CSRF
protection during development you could modifymanifest.js
to only includecrumb
whenNODE_ENV=production
. - You can see if a different configuration would work better for you; see the
crumb
docs.
To use Postman, take the following steps:
-
Install Postman and Postman Interceptor
-
Sign into your local Aqua site in Chrome
-
Add your route to the "Enter Request URL" field in Postman
-
Add a header by clicking "Headers" with a key named "Cookie" and a value of the "sid-aqua=XXX;crumb=XXX" in the value field. You can copy the cookie in your Chrome browser or by making an initial request and clicking the "Cookie" tab.
-
Send your request and you should get an authenticated reply!
We hope this was helpful. If you have questions or think this page should be expanded please contribute by opening an issue or updating this page.