Hi everyone, I'm implementing the CSRF Token on Post forms in my project but I don't understand something.
I enabled the option, I set the API with POST method and I inserted the hidden field in the frontend as explained in the tutorial.
Everything works correctly but when I try to submit another form in a post that doesn't have a hidden field I don't receive any errors.
I saw that the token is in memory and I would like to understand if there is a way to delete it so as to check if all my forms are actually working properly.
The way you test if it's working is you edit the request your browser sent, and change the X-Csrf-Token header. It should fail.
You can edit and resend requests on your browser developer tools. Not sure if all browsers do that, you can try another browser if you don't find the option.
You could use a Global Meta Tag instead of the hidden fields.
Using a Global Meta Tag
Using a global meta tag on the layout page is the easiest way to add the protection to all your pages.
When the meta tag is used it generates a new CSRF token and session on each page request.
Hi Ben, thanks for the reply.
If I understand correctly, using the global meta tag (which I have already set in the main layout) I don't need the hiden fields in the various post forms?
Maybe this is why everything worked even if I didn't insert the hidden fields, I had understood it differently.
when using a global meta tag on your main page you don't need the hidden input.
If you only want to protect some of the forms, then you can use the hidden input.
