- Status changed to Closed: duplicate
10 months ago 9:15pm 21 February 2024
Despite including the `x-csrf-token` in the request header when using the webform REST to submit a form, the response is 200 even when the `x-csrf-token` is not included. This behavior contradicts the expectation that a valid `x-csrf-token` is required for successful submissions.
1. Grant permission to anonymous users for "Webform Submit POST" under "RESTful Web Services" at `/admin/people/permissions`.
2. Enable "Webform Submit" at `/admin/config/services/rest`.
3. Execute the command `curl -X POST -H "Content-Type: application/json" -H "X-CSRF-Token: {x_csrf_token}" -d '{"webform_id": "{webform_name}", "message": "{message_text}"}' {website_url}/webform_rest/submit`.
4. Also, execute the command without `x-csrf-token` in the header and observe the response.
Investigate and modify the system to ensure that the submission only succeeds (returns 200) when a valid `x-csrf-token` is included in the request.
- Identify the cause of the issue.
- Implement necessary changes to enforce `x-csrf-token` validation.
- Test to confirm that the issue is resolved.
N/A
This change will impact the API behavior to correctly validate `x-csrf-token` in the request header.
N/A
Closed: duplicate
4.1
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.