This error means your request arrived without a valid CSRF token, so the server blocks it to stop cross-site actions.
A CSRF token is a small, random value that ties a risky request to a real browser session. When the server can’t match the token, it treats the request like it might be forged and returns a 403. You’ll often see the message during login, signup, password change, profile edits, or any POST that uses cookies for auth.
You don’t need guesswork. You need three pieces to agree: the session cookie, the token value, and the server’s CSRF settings. The steps below help you line those up for browser forms, single-page apps, gateways, and API tools.
What This Error Means On The Wire
Most CSRF defenses rely on a session cookie plus a token sent back in a form field or request header. The cookie answers “who,” and the token answers “did this request start on one of our pages.” If either is missing, or if the token no longer matches the session, the server rejects the call.
“Token missing” can be triggered by a cached page with an old token, a cookie blocked by the browser, a request sent without credentials, a domain mismatch after a redirect, or a proxy that rewrites paths and breaks cookie scope.
A fast way to narrow the cause is a side-by-side request check. Open a request that works, then open the one that fails, and compare four fields: Cookie, Origin, Referer, and the CSRF token field or header. Missing Cookie points to cookie rules. Cookie present but token missing points to the client. Both present but rejected points to session rotation, token storage, or gateway rewriting.
| What You See | Likely Cause | First Check |
|---|---|---|
| 403 right after login | Cookie not stored or not sent back | Confirm cookies are enabled and host matches |
| Works in browser, fails in Postman | Client skips the token step | Fetch token, keep cookies, send token back |
| Fails only behind a gateway | Host, path, or scheme rewritten | Check cookie Domain, Path, and forwarded headers |
| Fails after idle time | Session expired or rotated | Sign in again, reload page, retry the action |
An Expected CSRF Token Cannot Be Found In Browser Forms
When a form submit triggers this message, start with two basics. Confirm the token is in the HTML the browser received. Then confirm the browser sends it back on submit.
- View page source — Check the rendered HTML for a hidden input that carries the token value, or a meta tag your JS reads.
- Hard refresh the page — Reload to avoid a cached page with a stale token, then submit again.
- Clear site data — Remove cookies and site storage for the domain, sign in again, and retry the same action.
- Confirm one host — Avoid bouncing between www and non-www, or between http and https, since cookies and tokens may not carry across.
Next, use devtools to confirm what was actually sent. In the Network tab, open the failing request and check that a session cookie is present and a token value is present in the payload or a header like X-CSRF-TOKEN. If the cookie is missing, a token can’t be validated even if it’s present.
If the issue shows up only after you use the back button, you may be resubmitting a page held in the browser’s memory cache. A hard refresh before submit often fixes that. If you control caching headers, avoid caching HTML that includes tokens at shared layers, and avoid serving the same token to multiple users.
Expected CSRF Token Not Found In Api Calls And Spas
Single-page apps and API tools hit this issue a lot because they don’t submit server-rendered forms. They usually need an extra step: fetch a token first, then echo it back on each state-changing request.
- Send credentials — For fetch, set credentials to include; for axios, set withCredentials to true, so cookies travel with the request.
- Read the token correctly — Some apps store the token in a cookie like XSRF-TOKEN; others expose it in a response header or a JSON field.
- Mirror the header name — Match what the server expects, such as X-CSRF-TOKEN or X-XSRF-TOKEN, with the same spelling your stack checks.
- Allow the header in CORS — If the API is on a different origin, allow credentials and allow the CSRF header during preflight.
Tools like Postman and curl won’t auto-manage CSRF for you. You often need to call a “get token” route first, capture cookies, then send the token back with the next POST. If your app uses session auth, keep the cookie jar between calls.
- Start with a GET — Hit a page or endpoint that sets the session cookie and exposes a token value.
- Save cookies — Keep the session cookie for the next request, not just the token string.
- Send the token back — Put the token in the header or form field the server checks for writes.
- Repeat after login — If login rotates the session, fetch a fresh token after login before the next write.
Cookie Settings That Break Token Matching
CSRF checks depend on cookies. A cookie that never arrives equals a token that can’t be validated. Browsers also enforce stricter cookie rules than they used to, so settings that “worked before” can fail after a browser update.
- Check SameSite — If your app spans subdomains or uses third-party login redirects, you may need SameSite=None plus Secure on the session cookie.
- Check Secure — Cookies marked Secure won’t send over plain http, which can break local testing and mixed-content setups.
- Check Path and Domain — A cookie scoped to /app won’t be sent to /api; a cookie scoped to api.example.com won’t be sent to www.example.com.
- Check size limits — Huge cookies can be dropped by the browser or proxy, which can silently remove your session.
Reverse proxies can also hide the real scheme and host from your app. If your server thinks a request is http while the browser is https, it may set cookies with the wrong attributes. Forwarded headers like X-Forwarded-Proto, and correct proxy settings, keep the server’s view in sync.
Login redirects add one more twist. A sign-in flow can bounce across domains, then land back on your app. If your session cookie is scoped too narrowly, or if SameSite blocks it during that redirect, the next POST may arrive with no session cookie and no usable token. Test the full flow in a private window and watch cookie storage during each redirect hop.
Server-Side Fixes In Common Stacks
On the server, this message often means one of two things. CSRF is on but the app doesn’t expose a token to the client. The right fix depends on how you authenticate.
Spring Security And Spring Cloud Gateway
Spring Security enables CSRF protection for browser sessions by default. If you call endpoints from a non-browser client, you’ll get a 403 unless you supply the token or scope CSRF to the right routes. Spring Cloud Gateway can add extra confusion if it changes the request path or host.
- Expose a token — Use a token repository that writes a cookie (often named XSRF-TOKEN) so JS can read it and return it in a header.
- Match your app type — WebFlux uses a different security config style than servlet apps, so mix-ups can leave CSRF on when you thought it was off.
- Ignore CSRF on bearer APIs — Keep CSRF for browser pages, and ignore it for stateless API paths that never use auth cookies.
- Pass forwarded headers — Ensure the server sees the real host and scheme, or it may set cookies that never come back.
Django, Laravel, And Rails
These stacks expect a token on every write. In server-rendered pages, their helpers output hidden inputs. In AJAX calls, you read a meta tag or cookie and set a header. Failures are often simple: a form missing the token field, a route exempted by mistake, or JS that reads the wrong meta tag.
- Django templates — Ensure the CSRF tag is in the form, then include the CSRF header for fetch or XMLHttpRequest calls.
- Laravel forms — Ensure the CSRF field helper is in the form and that session cookies are present on submit.
- Rails forms — Ensure the authenticity token is present and that your JS includes the token header on remote requests.
If your app sits behind a cache, treat token-bearing HTML as private. A shared cache can serve one user’s token to another user, which will fail validation and can also create a real security issue.
When Disabling Csrf Is Reasonable And What To Do Instead
CSRF protection is built for cookie-based sessions, where the browser automatically sends credentials. If your API is truly stateless and uses an Authorization header with a bearer token, CSRF checks can be redundant, since a cross-site request can’t force the browser to attach your bearer token.
Turning CSRF off blindly can still open a hole if any route relies on cookies for auth. A safer pattern is to keep CSRF on for browser pages, and turn it off only for API routes that never read auth cookies.
- Split routes — Put browser pages under one path and stateless APIs under another, then apply CSRF rules by path.
- Keep sessions tidy — After login, rotate the session and refresh the token on the next page load to avoid mismatches.
- Use strict cookies — Prefer SameSite=Lax or Strict for sessions when you don’t need cross-site redirects.
- Test the risky paths — Validate login, logout, password change, and profile save in a private window, then repeat behind your proxy.
For background and stack-specific header names, these pages are solid starting points: the OWASP CSRF cheat sheet and official docs for the stacks you run.
- Use OWASP CSRF cheat sheet — Cross-Site Request Forgery Prevention Cheat Sheet
- Check Spring Security CSRF docs — Spring Security CSRF reference
- Check Django CSRF docs — Django CSRF reference
Once the pieces line up, the message goes away fast. If you still see an expected csrf token cannot be found after these checks, capture the failing request headers and cookies and compare them to a working browser request. That side-by-side view shows what’s missing almost every time.
If the error appears only on one route, audit that route for a missing token field, a redirect to a different host, or cached HTML. Small routing details often explain why one form fails while the rest work, even when logs keep repeating an expected csrf token cannot be found.