Sitecore provides out of the box protection against Cross-Site Request Forgery. While very helpful, this feature sometimes can cause problems with internal Sitecore API calls. For instance, a couple of weeks ago, a client had issues loading engagement plans within a WFFM save action. When trying to scroll down to see additional plans, we only got a “Loading” spinner. Upon further inspection, I found that an internal Sitecore call was returning a 500 response:

500 error in an internal API call

If we take a look at the server response we can see a CSRF exception:

CSRF exception

We found the root of our issue! The good news is that we can easily solve this issue by adding an ignore wildcard to
Sitecore.AntiCsrf.config. Here, we can add a rule specific to our broken API request like this:

<ignore wildcard="/sitecore/shell/default.aspx*" />

Or we can ignore CSRF completely by adding:

<ignore wildcard="/sitecore/*"/>

Bingo! This solved our CSRF issue when loading additional engagement plans. No more “Loading” spinner 😉

Problem solved!

This will “solve” all our CSRF issues. However, keep in mind that it could open vulnerabilities in our site. So, as a recommendation. make sure that this configuration only gets deployed to the CM server where this calls are common.

Happy Sitecoring!.

Leave a Reply

Your email address will not be published. Required fields are marked *