CSRF Failed: CSRF token from the 'X-Csrftoken' HTTP header has incorrect length. on logout

Hello,
I’m working on a Django Project with a vue frontend.
The csrf middleware is set:

MIDDLEWARE = [
    "django_prometheus.middleware.PrometheusBeforeMiddleware",
    "config.middleware.MetricsMiddleware",
    "django.middleware.security.SecurityMiddleware",
    "corsheaders.middleware.CorsMiddleware",
    "whitenoise.middleware.WhiteNoiseMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.middleware.locale.LocaleMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "allauth.account.middleware.AccountMiddleware",
    'm_ebs_backend.users.middleware.CurrentUserMiddleware',
    'django_prometheus.middleware.PrometheusAfterMiddleware',
]

CSRF_COOKIE_HTTPONLY is False
CSRF_COOKIE_SECURE is True (runs on a server with https)
The cookie is used in frontend:

const headers = {
        'X-CSRFToken': this.currentCsrfToken ?? '',
      };

I’m using dj-rest-auth and the login as well as the user api call works fine, bun on logout I got this error. It can only b fixed by deleting the cookie and reload the page.
Here a few of my rest-auth settings:

AUTH_USER_MODEL = "users.User"
LOGIN_URL = 'rest_framework:login'
LOGOUT_URL = 'rest_framework:logout'
REST_AUTH = {
    'LOGIN_SERIALIZER': 'dj_rest_auth.serializers.LoginSerializer',
    'TOKEN_SERIALIZER': 'dj_rest_auth.serializers.TokenSerializer',
    'JWT_SERIALIZER': 'dj_rest_auth.serializers.JWTSerializer',
    'JWT_SERIALIZER_WITH_EXPIRATION': 'dj_rest_auth.serializers.JWTSerializerWithExpiration',
    'JWT_TOKEN_CLAIMS_SERIALIZER': 'rest_framework_simplejwt.serializers.TokenObtainPairSerializer',
    'USER_DETAILS_SERIALIZER': 'dj_rest_auth.serializers.UserDetailsSerializer',
    'PASSWORD_RESET_SERIALIZER': 'dj_rest_auth.serializers.PasswordResetSerializer',
    'PASSWORD_RESET_CONFIRM_SERIALIZER': 'dj_rest_auth.serializers.PasswordResetConfirmSerializer',
    'PASSWORD_CHANGE_SERIALIZER': 'dj_rest_auth.serializers.PasswordChangeSerializer',

    'REGISTER_SERIALIZER': 'dj_rest_auth.registration.serializers.RegisterSerializer',

    'REGISTER_PERMISSION_CLASSES': ('rest_framework.permissions.AllowAny',),

    'TOKEN_MODEL': 'rest_framework.authtoken.models.Token',
    'TOKEN_CREATOR': 'dj_rest_auth.utils.default_create_token',

    'PASSWORD_RESET_USE_SITES_DOMAIN': False,
    'OLD_PASSWORD_FIELD_ENABLED': True,
    'LOGOUT_ON_PASSWORD_CHANGE': True,
    'SESSION_LOGIN': True,
}

I’ve been looking for a solution since weeks but without success. I would be very happy if someone can help, and I hope that I provided enough information. Otherwise, ask for more. :wink:

Tracking this down may mean that you need to look at the headers being transferred with each exchange to see what’s being sent with each POST.

One of the requests should have an obviously-wrong header - identifying which request will help you to find the cause. You’ll need to work backward through your code to figure out where the invalid header is coming from, and from there try to determine why you’re getting it.

Oh, no, that is embarrassing… it was a copy&pase mistake in the vue api call. I was way too focused on that backend. The cookies were correctly set in the cookie sections, but there was an error, that the token was not correctly set in the headers.
But I still wonder why it works for the rest-auth user call, but not for the logout.

Thank you for your help.