Extract X-XSRF-TOKEN from cookie and add to header in POST - 403 error


I currently trying to deploy dash apps on Siemens MindSphere and have the problem that the gateway expects the x-xsrf-token added to the POST header request to _dash-update-component.

If this is not provided in the header the POST request results in:
403 - ##### MSG exception: Invalid CSRF Token ‘null’ was found on the request parameter ‘_csrf’ or header ‘X-XSRF-TOKEN’

I found a thread on “name of CSRF cookie is hard-coded” here:

From the MindSphere community forum again the solution is stated as:
"If this is running in the frontend webapp, you need to set both the Origin header and the X-XSRF-Token headers before sending the request to MindSphere, as stated in the documentation.

The Cookie is set for you on successful authentication, you don’t have to add any cookie. What you need to do is extract the value of the XSRF-TOKEN cookie in your frontend code and then pass it as the value of the X-XSRF-Token header. "

The code snippet which should do this is from here:
app.use(’/’, function(req, res, next) {
“x-xsrf-token”: req.cookies[‘XSRF-TOKEN’],
“origin”: req.headers[“host”]

Here is the documentation from Mindsphere:

I check the POST request in firefox and origin is set correct. When I manually edit and resend the request, adding "x-xsrf-token: [from cookie XSRF-TOKEN] it goes through the gateway and returns the json for update the graph.

Is it possible to add the field in the POST request header and extract the XSRF-TOKEN from the cookie in the client/browser with dash. Is there any way to do it? - e.g. add this piece of javascript? The app runs in mindsphere cloud foundry environment.

just found this related post:

Is there any way forward with this work?


1 Like

Hi community!

We are engaging commercially with Matthias to address these issues. We’ll update this issue once we have a solution in place.