I’m trying to request a Ajax POST, and I’m getting the error 403 (Forbidden) and the error Missing CSRF token body📋
It’s running on the IIS server, and it’s the 4.0 Cake
This is the ajax call, the Headers line I found in another forum, but successless
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
$csrf = new CsrfProtectionMiddleware();
// Catch any exceptions in the lower layers,
// and make an error page/response
// Handle plugin/theme assets like CakePHP normally does.
'cacheTime' => Configure::read('Asset.cacheTime'),
// Ensure routing middleware is added to the queue before CSRF protection middleware.
This doesn’t answer your question directly, but instead it shows a working solution of using AJAX with CakePHP 4 and CSRF and as a bonus the form tampering protection too: -
In there it doesn’t access the token directly from getParam(), but uses the CakePHP form creator to populate the hidden field it uses for passing the token (so its in the form, not the header). It may help.