I have run into an issue with my csrf token where some users are randomly getting a 403 forbidden message on POSTs. The issue seems very similar to what is being described in this ticket:


The error messages we’re seeing are indicating that the csrf_token cookie is not set, but we’re able to tell from the request logs that X-CSRFToken header WAS set, and just appears to not actually be used at all.

The docs here:


…indicate that the X-CSRFToken header is the right place to do this… but, that appears to have no effect when used in a POST if the csrf_token cookie is not also there. Removing the header also has no effect (when cookies are present).

Are the docs wrong? Is the only way to actually send the csrf_token for validation in POST/PUT/PATCH via cookies? Or is the csrf middleware broken as suggested in the ticket?

Thanks for any insights!