{"id":42288,"date":"2024-06-13T16:27:49","date_gmt":"2024-06-13T15:27:49","guid":{"rendered":"https:\/\/churchtools.academy\/help\/non-knowledgebase\/uncategorized\/csrf-prevention\/"},"modified":"2025-11-17T08:54:10","modified_gmt":"2025-11-17T07:54:10","password":"","slug":"csrf-prevention","status":"publish","type":"docs","link":"https:\/\/churchtools.academy\/en\/help\/system-settings\/general-data-security-privacy\/csrf-prevention\/","title":{"rendered":"CSRF prevention"},"content":{"rendered":"\n<aside class=\"wp-block-group ct-box ct-box-blue has-background is-vertical is-layout-flex wp-container-core-group-is-layout-002f1c27 wp-block-group-is-layout-flex\" style=\"border-radius:8px;border-left-color:#3e70ce;border-left-width:0.5rem;background-color:#f3f5f7;margin-top:var(--wp--preset--spacing--60);margin-bottom:var(--wp--preset--spacing--60)\">\n<p style=\"margin-top:0.5rem;margin-right:0.5rem;margin-bottom:0rem;margin-left:0.5rem\"><strong>Note<\/strong><\/p>\n\n\n\n<p style=\"margin-top:0rem;margin-right:0.5rem;margin-bottom:0.5rem;margin-left:0.5rem\">Relevant for all those who use the old ChurchTools API.<\/p>\n<\/aside>\n\n\n\n<p>CSRF stands for <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/CSRF\">Cross-Site-Request-Forgery<\/a> and describes an attack in which unwanted actions are triggered via a user in order to abuse their rights. To prevent ChurchTools from being vulnerable to CSRF attacks, we have introduced a CSRF token. This must be sent as a header with all old API calls. Specifically, this applies to all POST requests that have the content type application\/x-www-form-urlencoded or  set. We explain how to do this in this article.    <\/p>\n\n\n\n<p>After you have logged in, you call up the API <code>\/api\/csrftoken<\/code> to get the token. You then send this token as a header with every subsequent API request. The header looks like this:  <\/p>\n\n\n\n<p><code>CSRF-Token: $MEIN_TOKEN<\/code><\/p>\n\n\n\n<aside class=\"wp-block-group ct-box ct-box-blue has-text-color has-background has-link-color wp-elements-74648fa9a9506de5179716347194bc98 is-vertical is-layout-flex wp-container-core-group-is-layout-002f1c27 wp-block-group-is-layout-flex\" style=\"border-radius:8px;border-left-color:#e7c000;border-left-width:0.5rem;color:#3f3400;background-color:#ffe5644d;margin-top:var(--wp--preset--spacing--60);margin-bottom:var(--wp--preset--spacing--60)\">\n<p style=\"margin-top:0.5rem;margin-right:0.5rem;margin-bottom:0rem;margin-left:0.5rem\"><strong>Warning<\/strong><\/p>\n\n\n\n<p style=\"margin-top:0rem;margin-right:0.5rem;margin-bottom:0.5rem;margin-left:0.5rem\">The CSRF token check can currently still be deactivated in the System settings. However, we strongly recommend that you do not do this, as this is a security risk.   <br><br>This option will be removed in a future version and the verification of the CSRF token will then always be active.<\/p>\n<\/aside>\n\n\n\n<aside class=\"wp-block-group ct-artikel-zum-weiterlesen has-background is-layout-constrained wp-container-core-group-is-layout-89fd719a wp-block-group-is-layout-constrained\" style=\"border-radius:8px;background-color:#f9fafb;margin-top:24px;margin-bottom:24px;padding-top:32px;padding-right:24px;padding-bottom:32px;padding-left:24px\">\n<h2 class=\"wp-block-heading has-medium-font-size\">Article to read more<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/churchtools.academy\/en\/help\/system-settings\/api-en\/overview-api\/\" data-type=\"docs\" data-id=\"7251\">Overview API<\/a><\/li>\n<\/ul>\n<\/aside>\n","protected":false},"excerpt":{"rendered":"<p>CSRF stands for Cross-Site-Request-Forgery and describes an attack in which unwanted actions are triggered via a user in order to abuse their rights. To prevent ChurchTools from being vulnerable to CSRF attacks, we have introduced a CSRF token. This must be sent as a header with all old API calls. Specifically, this applies to all [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"doc_category":[431],"doc_tag":[],"knowledge_base":[425],"class_list":["post-42288","docs","type-docs","status-publish","hentry","doc_category-general-data-security-privacy","knowledge_base-system-settings"],"pp_statuses_selecting_workflow":false,"pp_workflow_action":"current","pp_status_selection":"publish","acf":[],"year_month":"2026-05","word_count":118,"total_views":"666","reactions":{"happy":"0","normal":"0","sad":"0"},"author_info":{"name":"Jasper Stehmeier","author_nicename":"jstehmeier","author_url":"https:\/\/churchtools.academy\/en\/author\/jstehmeier\/"},"doc_category_info":[{"term_name":"General","term_url":"https:\/\/churchtools.academy\/en\/help\/system-settings\/general-data-security-privacy\/"}],"doc_tag_info":[],"knowledge_base_info":[{"term_name":"System Settings","term_url":"https:\/\/churchtools.academy\/en\/help\/system-settings\/","term_slug":"system-settings"}],"knowledge_base_slug":["system-settings"],"_links":{"self":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/42288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/comments?post=42288"}],"version-history":[{"count":5,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/42288\/revisions"}],"predecessor-version":[{"id":42293,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/42288\/revisions\/42293"}],"wp:attachment":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/media?parent=42288"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/doc_category?post=42288"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/doc_tag?post=42288"},{"taxonomy":"knowledge_base","embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/knowledge_base?post=42288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}