5

I've seen no answers on SO so far that don't answer this without suggesting to just disable it (which I don't want to do).

Locally, everything works, but deployed to producton on Heroku I'm getting InvalidAuthenticityToken.

From everything I can see, everything is set up properly.

  • Fresh app on Rails 6.0.3.1 (so it's not migrated where the setting may be disabled by default)
  • RAILS_MASTER_KEY set in Heroku for session
  • session_store.rb set to Rails.application.config.session_store :cookie_store, key: '__app_session', expire_after: 1.year
  • csrf_meta_tags in my layout as well as csp_meta_tag
  • ajax not used, this is a plain form_with. I can see the CSRF tag in dev tools so I know it's in the HTML

I considered it maybe is because of this in ApplicationController:

before_action :authenticate

however it seems that prepend: true is no longer set within the application controller...

I tried overriding it anyway by just adding it (even though it's not there by default and it still doesnt work if I add this above the before_action line)

protect_from_forgery with: :exception, prepend: true

Edit I'll also say the fixed Sidekiq showing forbidden when trying to issue DELETE commands as well (kill job button)

Tallboy
  • 12,847
  • 13
  • 82
  • 173
  • Are you self hosting in production? using SSL? – cdadityang May 24 '20 at 06:44
  • Heroku, with Cloudflare... however you saying that made me realize I never changed Flexible SSL to Full. If SSL is a potential source of problems that could be it. – Tallboy May 24 '20 at 07:00
  • Try that, even add `config.force_ssl = true` in `config/environments/production.rb` file – cdadityang May 24 '20 at 07:06
  • 1
    amazing, that worked. Can you put that as the answer so I can mark it? You can put a few options if you want (flexible ssl, force_ssl, etc). Also I should add that this fixed sidekiq displaying 'forbidden' – Tallboy May 24 '20 at 07:08

1 Answers1

4

Try adding config.force_ssl = true in your config/environments/production.rb and make sure your SSL is configured properly like you said switching to Full SSL instead of Flexible.

cdadityang
  • 523
  • 2
  • 10
  • Can you please help how we can do this with an app hosted on AWS EC2? I am trying to remove the "Forbidden" error on Sidekiq, when trying to perform "Retry All" – Dheeraj Avvari Aug 04 '20 at 18:46
  • 1
    @DheerajAvvari Did you add `config.force_ssl = true` to your `config/environments/production.rb` file? And are you sure you've configured SSL properly in EC2? Which server are your running - Apache/Nginx? What are you using for SSL - certbot or soemthing else? – cdadityang Aug 09 '20 at 09:00
  • 1
    I'm using Cloudflare DNS + Heroku hosted and I can confirm this worked for me (Rails 7 alpha 2 ) – equivalent8 Sep 19 '21 at 12:43