However, it makes no difference. .ajaxSetup( headers: X-CSRF-Token: (meta[name"csrf-token"]).attr(content) ) The best way to do this is actually just use < formauthenticity token.tos > to print out the token directly in your rails code. Set the CSRF token for Rails when doing Ajax requests.kieran/CSRF-ajax-setup.js.coffee( ruby). class Api::V1::ApplicationController < ActionController::Base protectfrom forgery beforefilter :setcsrfheader. So Id suggest instead passing a CSRF token as a cookie or header value via an after filter for all requests. The API can simply re-submit that back as a header value of X-CSRF- Token which Rails already checks. Rails assigns a cryptographically random CSRF token to the the user session.When posting with ajax, you need to forward the CSRF token with the X- CSRF-Token header. formauthenticitytoken request.headers[X-CSRF-Token] end.Hopefully you now have a better understanding of how CSRF token verification works and just what Rails is doing under the hood. I couldnt make this to work because fetch() lowercases all the header keys. And rails server cannot tell that "x-csrf-token" contains the info for "X-CSRF- Token".This is also not working for me so I have override this verifiedrequest? method CsrfToken. I am trying to perform cross-platform request in rails. My html code is If it makes sense, you can remove the csrf token verification. Just add this to your controller. rails csrf token lifetime I use Rails requestforgeryprotection mechanism to protect my POST actions from CSRF attacks and captcha to protect the GET actions.Why is my users X-CSRF-Token header different form the csrftoken in the session? Passing X-CSRF-Token (Ruby on Rails) 424. Closed. peric opened this Issue Nov 1, 2016 12 comments.headers.append(X-Requested-With, XMLHttpRequest). headers.append(X- CSRF-TOKEN, csrfToken). These configuration defaults tell Rails that requests are valid by including the CSRF Token and that all responses should be formatted as JSON. Axios sets the Accept header to include ALL MIME TYPES out of the box! The second part of making Ajax requests work again is to set the X-CSRF- Token header on all Ajax requests with the authenticity token. Update: Mislav Marohni points out that Rails uses jQuery 1.