Home → Admin Manual → HelpSpot Hacks → Disabling CSRF For A URL

15.2. Disabling CSRF For A URL

Cross-site request forgery (CSRF) protection can block HTTP POST requests that originate from a different site or external system. When this happens, the application may return a 419 Page has expired error during login or form submission.

Disabling CSRF for a specific URL can be used as a workaround when a POST must be accepted from an external source. This should be a last resort. Using a dedicated API endpoint for programmatic access is almost always a better and more secure approach.

When to consider disabling CSRF for a URL

You are posting to a login or form URL from another site or system.
The request consistently fails with 419 Page has expired and the behavior indicates a CSRF violation.

Important security considerations

Disabling CSRF reduces protection against forged requests for the specified URL.
Prefer using an API endpoint instead of submitting directly to web login or form URLs.
If CSRF must be disabled, limit it to the single, specific URL required.

Disable CSRF protection for a specific URL

Step-by-step

Open the application’s .env file.
Add (or update) the DISABLE_CSRF setting to the exact URL that needs to accept the external POST.

DISABLE_CSRF="https://example.com/path/to/endpoint"

What to expect

After setting DISABLE_CSRF for the targeted URL, retry the POST request.
If the issue was caused by CSRF validation, the 419 errors should stop for that URL.

This page was: Helpful | Not Helpful

← Disable Access Keys and Force SAML Login on the Portal Converting Attachments from Database Storage to File System →

15.2. Disabling CSRF For A URL

When to consider disabling CSRF for a URL

Important security considerations

Disable CSRF protection for a specific URL

Step-by-step

What to expect

Homepage

Store

Resources

Contact