Disable CSRF token for a specific template

The only way I know how to disable CRSF is via a config setting but that’s a site wide setting - https://docs.expressionengine.com/latest/general/system-configuration-overrides.html#disable_csrf_protection - I’m not sure you you can modify the disable config item on the fly.

I should have read the docs more - does this help? https://docs.expressionengine.com/latest/development/guidelines/security.html#disabling-the-check

Exactly, I don’t want to disable this globally. Just for this specific POST request.

I did read that documentation link you provided, but I’m not sure what they mean with “This is done by setting the csrf_exempt column in the actions table to 1 for that action.”

What column? There is no specific code example on how this works or what has to be passed on the request. This is the reason I posted this, I found that link as well, but there is not enough information in the docs on how to use this. Searching the web gave me no results either, at least not for Expression Engine.

By way of background, I do want to say that we don’t recommend disabling the CSRF token.

That being said, in the exp_actions table there is a column called “csrf_exempt” This is how you can remove the need for the CSRF token check on a given ExpressionEngine Action. An action can be defined on install or update of an add-on.

Thanks,

-Tom Jaeger

I don’t want to disable this for the whole site. Just for a specific template but I think I might better get someone that knows JavaScript and just try to pass the token.

Not 100% sure of everything your doing etc… You can also throw a CSRF tolken into your template by doing the following

<input type="hidden" name="csrf_token" value="{csrf_token}">

Thought it might be helpful to pass along.