CSRF stands for Cross-Site-Request-Forgery and describes an attack in which unwanted actions are triggered via a user in order to abuse their rights. To prevent ChurchTools from being vulnerable to CSRF attacks, we have introduced a CSRF token. This must be sent as a header with all old API calls. Specifically, this applies to all POST requests that have the content type application/x-www-form-urlencoded or multipart/form-data set. We explain how to do this in this article.

After you have logged in, you call up the API /api/csrftoken to get the token. You then send this token as a header with every subsequent API request. The header looks like this:

CSRF-Token: $MEIN_TOKEN