Sitecore provides out of the box protection against Cross-Site Request Forgery. While very helpful, this feature sometimes can cause problems with internal Sitecore API calls. For instance, a couple of weeks ago, a client had issues loading engagement plans within a WFFM save action. When trying to scroll down to see additional plans, we only got a “Loading” spinner. Upon further inspection, I found that an internal Sitecore call was returning a 500 response:
If we take a look at the server response we can see a CSRF exception:
We found the root of our issue! The good news is that we can easily solve this issue by adding an ignore wildcard to
Sitecore.AntiCsrf.config. Here, we can add a rule specific to our broken API request like this:
<ignore wildcard="/sitecore/shell/default.aspx*" />
Or we can ignore CSRF completely by adding:
Bingo! This solved our CSRF issue when loading additional engagement plans. No more “Loading” spinner 😉
This will “solve” all our CSRF issues. However, keep in mind that it could open vulnerabilities in our site. So, as a recommendation. make sure that this configuration only gets deployed to the CM server where this calls are common.