Skip to content
This repository has been archived by the owner on Mar 9, 2018. It is now read-only.

HTTP 403 forbidden when accessing API endpoints

Jump to bottom
Reza Akhavan edited this page Sep 14, 2016 · 3 revisions

This may be caused by crumb, a CSRF mitigation tool.

We're using crumb, which helps diminish CSRF attacks. You'll get a new CSRF token (via cookies) on each response from the server. The front-end code looks for this token and passes it back to the server via the X-CSRF-Token header with each request made to the server.

This does make it harder to interact with the API manually, or via apps like Postman since you have to do that dance of finding the token from the cookie header and passing it token back via the X-CSRF-Token header with your next request.

Possible solutions:

  • You could disable crumb by removing it from the manifest.js file.
  • If you only want to disabled CSRF protection during development you could modify manifest.js to only include crumb when NODE_ENV=production.
  • You can see if a different configuration would work better for you; see the crumb docs.

That's it

We hope this was helpful. If you have questions or think this page should be expanded please contribute by opening an issue or updating this page.

Clone this wiki locally