Mattermost, Inc.

CSRF Header error message after every request?

We seem to be getting errors in mattermost.log constantly ever since our most recent upgrade to MM 5.11.0

It looks to me, that every request for /api/v4/users/status/ids is generating this error. The logs look something like (over and over and over):

{"level":"debug","ts":155938457.2341234:"caller":"web/handlers.go:58","msg":"POST - /api/v4/users/status/ids"}
{"level":"debug","ts":155938457.2512234:"caller":"mlog/log.go:160","msg":"CSRF Header check failed for request - Please upgrade your web application or custom app to set a CSRF Header"}

I’m not sure how to determine what app it thinks is hitting it. I’ve disabled plugins, which had no affect. Could it be an old MM client? Is there an access log or something that I can use to cross reference with the timestamp?

Hi @kridan,

absolutely, could be an outdated client. Currently it’s only a debug message to identify problems that might come up later. Migrating to the new CSRF protection is not required (only the debug message shown), but with a later release we will enforce it. I’ve just opened a pull request that will add some additional logging to the message to identify potential problems easier:

Important to notice is that this is currently not breaking anything, it’s merely debug information (thus the debug level of the message). Feel free to ignore it, we will make sure that the breaking change is announced in advance. Once the pull request above is merged it will be easier to identify the client causing the debug messages, or the plugin / integration.

If you got any questions just let me know.

1 Like

Wow - thanks so much for the quick turnaround.
I’ll keep an eye out for the release that this gets tagged to. No harm in the meantime other than larger than usual logs.