Magento 2.3 upgrade breaks HTTP POST requests to custom module endpoint The Next CEO of Stack OverflowExternal Request - Invalid Form Key Magento 2.3How to bypass CSRF validation for certain requests like payment gateway webhook?magento2.3 controller won't handle post methodMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlHow to introduce a new type for widget parameter in Magento2?main.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How to create AJAX action for POST requests in Magento 2.3?How to bypass CSRF validation for certain requests like payment gateway webhook?

Increase performance creating Mandelbrot set in python

How to use tikz in fbox?

Only print output after finding pattern

Unreliable Magic - Is it worth it?

Inappropriate reference requests from Journal reviewers

How to make a variable always equal to the result of some calculations?

How do I get the green key off the shelf in the Dobby level of Lego Harry Potter 2?

How to write papers efficiently when English isn't my first language?

Why do professional authors make "consistency" mistakes? And how to avoid them?

Anatomically Correct Strange Women In Ponds Distributing Swords

Does it take more energy to get to Venus or to Mars?

How do we know the LHC results are robust?

How to Reset Passwords on Multiple Websites Easily?

Why here is plural "We went to the movies last night."

Is the concept of a "numerable" fiber bundle really useful or an empty generalization?

Natural language into sentence logic

What is the purpose of the Evocation wizard's Potent Cantrip feature?

Describing a person. What needs to be mentioned?

Why didn't Khan get resurrected in the Genesis Explosion?

What is the difference between "behavior" and "behaviour"?

Return the Closest Prime Number

Is HostGator storing my password in plaintext?

Visit to the USA with ESTA approved before trip to Iran

Robert Sheckley short story about vacation spots being overwhelmed



Magento 2.3 upgrade breaks HTTP POST requests to custom module endpoint



The Next CEO of Stack OverflowExternal Request - Invalid Form Key Magento 2.3How to bypass CSRF validation for certain requests like payment gateway webhook?magento2.3 controller won't handle post methodMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlHow to introduce a new type for widget parameter in Magento2?main.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How to create AJAX action for POST requests in Magento 2.3?How to bypass CSRF validation for certain requests like payment gateway webhook?










0















I have a custom module with a defined route as:



<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>


With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername



After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.



Does this have to do with some Csrf security feature and form keys that was added in v2.3?










share|improve this question




























    0















    I have a custom module with a defined route as:



    <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
    <router id="standard">
    <route id="custom_module" frontName="custom-module">
    <module name="Custom_Module" />
    </route>
    </router>
    </config>


    With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername



    After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.



    Does this have to do with some Csrf security feature and form keys that was added in v2.3?










    share|improve this question


























      0












      0








      0








      I have a custom module with a defined route as:



      <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
      <router id="standard">
      <route id="custom_module" frontName="custom-module">
      <module name="Custom_Module" />
      </route>
      </router>
      </config>


      With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername



      After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.



      Does this have to do with some Csrf security feature and form keys that was added in v2.3?










      share|improve this question
















      I have a custom module with a defined route as:



      <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
      <router id="standard">
      <route id="custom_module" frontName="custom-module">
      <module name="Custom_Module" />
      </route>
      </router>
      </config>


      With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername



      After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.



      Does this have to do with some Csrf security feature and form keys that was added in v2.3?







      magento2 magento2.3






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 13 '18 at 4:39









      Keyur Shah

      13.2k24165




      13.2k24165










      asked Dec 12 '18 at 17:54









      snezsnez

      2401211




      2401211




















          4 Answers
          4






          active

          oldest

          votes


















          8














          Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:



          use MagentoFrameworkAppCsrfAwareActionInterface;
          use MagentoFrameworkAppRequestInterface;
          use MagentoFrameworkAppRequestInvalidRequestException;

          class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface

          public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException

          return null;


          public function validateForCsrf(RequestInterface $request): ?bool

          return true;




          This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.






          share|improve this answer























          • Working like a charm. this is what i am looking at.. thanks!!

            – Pravin
            Jan 12 at 15:44











          • Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078

            – gemig_hol
            Mar 17 at 17:26


















          0














          One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.



          if (PHP_VERSION_ID < 70100) 
          class Index extends ExtendableMain
          else
          class Index extends ExtendableCsrCompatible



          Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:



          class Main extends Action 

          execute() ...



          And



          class CsrCompatible extends Main implements CsrfAwareActionInterface 

          //interface functions



          The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.






          share|improve this answer






























            0














            Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3



            Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X



            Put it in the constructor of the Action.



             // CsrfAwareAction Magento2.3 compatibility
            if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
            $request = $this->getRequest();
            if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
            $formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
            $request->setParam('form_key', $formKey->getFormKey());







            share|improve this answer






























              0














              Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class




              This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.




              di.xml



              <?xml version="1.0"?>
              <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
              <type name="MagentoFrameworkAppRequestCsrfValidator">
              <plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
              </type>
              </config>


              CsrfValidatorSkip.php



              <?php
              namespace ModuleVendorPlugin;
              class CsrfValidatorSkip

              /**
              * @param MagentoFrameworkAppRequestCsrfValidator $subject
              * @param Closure $proceed
              * @param MagentoFrameworkAppRequestInterface $request
              * @param MagentoFrameworkAppActionInterface $action
              */
              public function aroundValidate(
              $subject,
              Closure $proceed,
              $request,
              $action
              )
              if ($request->getModuleName() == 'Your_Module_frontName_Here')
              return; // Skip CSRF check

              $proceed($request, $action); // Proceed Magento 2 core functionalities




              Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.






              share|improve this answer








              New contributor




              AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.




















                Your Answer








                StackExchange.ready(function()
                var channelOptions =
                tags: "".split(" "),
                id: "479"
                ;
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function()
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled)
                StackExchange.using("snippets", function()
                createEditor();
                );

                else
                createEditor();

                );

                function createEditor()
                StackExchange.prepareEditor(
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: false,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: null,
                bindNavPrevention: true,
                postfix: "",
                imageUploader:
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                ,
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                );



                );













                draft saved

                draft discarded


















                StackExchange.ready(
                function ()
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f253414%2fmagento-2-3-upgrade-breaks-http-post-requests-to-custom-module-endpoint%23new-answer', 'question_page');

                );

                Post as a guest















                Required, but never shown

























                4 Answers
                4






                active

                oldest

                votes








                4 Answers
                4






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                8














                Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:



                use MagentoFrameworkAppCsrfAwareActionInterface;
                use MagentoFrameworkAppRequestInterface;
                use MagentoFrameworkAppRequestInvalidRequestException;

                class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface

                public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException

                return null;


                public function validateForCsrf(RequestInterface $request): ?bool

                return true;




                This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.






                share|improve this answer























                • Working like a charm. this is what i am looking at.. thanks!!

                  – Pravin
                  Jan 12 at 15:44











                • Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078

                  – gemig_hol
                  Mar 17 at 17:26















                8














                Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:



                use MagentoFrameworkAppCsrfAwareActionInterface;
                use MagentoFrameworkAppRequestInterface;
                use MagentoFrameworkAppRequestInvalidRequestException;

                class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface

                public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException

                return null;


                public function validateForCsrf(RequestInterface $request): ?bool

                return true;




                This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.






                share|improve this answer























                • Working like a charm. this is what i am looking at.. thanks!!

                  – Pravin
                  Jan 12 at 15:44











                • Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078

                  – gemig_hol
                  Mar 17 at 17:26













                8












                8








                8







                Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:



                use MagentoFrameworkAppCsrfAwareActionInterface;
                use MagentoFrameworkAppRequestInterface;
                use MagentoFrameworkAppRequestInvalidRequestException;

                class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface

                public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException

                return null;


                public function validateForCsrf(RequestInterface $request): ?bool

                return true;




                This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.






                share|improve this answer













                Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:



                use MagentoFrameworkAppCsrfAwareActionInterface;
                use MagentoFrameworkAppRequestInterface;
                use MagentoFrameworkAppRequestInvalidRequestException;

                class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface

                public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException

                return null;


                public function validateForCsrf(RequestInterface $request): ?bool

                return true;




                This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 18 '18 at 15:15









                snezsnez

                2401211




                2401211












                • Working like a charm. this is what i am looking at.. thanks!!

                  – Pravin
                  Jan 12 at 15:44











                • Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078

                  – gemig_hol
                  Mar 17 at 17:26

















                • Working like a charm. this is what i am looking at.. thanks!!

                  – Pravin
                  Jan 12 at 15:44











                • Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078

                  – gemig_hol
                  Mar 17 at 17:26
















                Working like a charm. this is what i am looking at.. thanks!!

                – Pravin
                Jan 12 at 15:44





                Working like a charm. this is what i am looking at.. thanks!!

                – Pravin
                Jan 12 at 15:44













                Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078

                – gemig_hol
                Mar 17 at 17:26





                Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078

                – gemig_hol
                Mar 17 at 17:26













                0














                One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.



                if (PHP_VERSION_ID < 70100) 
                class Index extends ExtendableMain
                else
                class Index extends ExtendableCsrCompatible



                Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:



                class Main extends Action 

                execute() ...



                And



                class CsrCompatible extends Main implements CsrfAwareActionInterface 

                //interface functions



                The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.






                share|improve this answer



























                  0














                  One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.



                  if (PHP_VERSION_ID < 70100) 
                  class Index extends ExtendableMain
                  else
                  class Index extends ExtendableCsrCompatible



                  Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:



                  class Main extends Action 

                  execute() ...



                  And



                  class CsrCompatible extends Main implements CsrfAwareActionInterface 

                  //interface functions



                  The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.






                  share|improve this answer

























                    0












                    0








                    0







                    One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.



                    if (PHP_VERSION_ID < 70100) 
                    class Index extends ExtendableMain
                    else
                    class Index extends ExtendableCsrCompatible



                    Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:



                    class Main extends Action 

                    execute() ...



                    And



                    class CsrCompatible extends Main implements CsrfAwareActionInterface 

                    //interface functions



                    The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.






                    share|improve this answer













                    One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.



                    if (PHP_VERSION_ID < 70100) 
                    class Index extends ExtendableMain
                    else
                    class Index extends ExtendableCsrCompatible



                    Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:



                    class Main extends Action 

                    execute() ...



                    And



                    class CsrCompatible extends Main implements CsrfAwareActionInterface 

                    //interface functions



                    The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Feb 10 at 7:59









                    augsteyeraugsteyer

                    1914




                    1914





















                        0














                        Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3



                        Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X



                        Put it in the constructor of the Action.



                         // CsrfAwareAction Magento2.3 compatibility
                        if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
                        $request = $this->getRequest();
                        if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
                        $formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
                        $request->setParam('form_key', $formKey->getFormKey());







                        share|improve this answer



























                          0














                          Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3



                          Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X



                          Put it in the constructor of the Action.



                           // CsrfAwareAction Magento2.3 compatibility
                          if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
                          $request = $this->getRequest();
                          if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
                          $formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
                          $request->setParam('form_key', $formKey->getFormKey());







                          share|improve this answer

























                            0












                            0








                            0







                            Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3



                            Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X



                            Put it in the constructor of the Action.



                             // CsrfAwareAction Magento2.3 compatibility
                            if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
                            $request = $this->getRequest();
                            if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
                            $formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
                            $request->setParam('form_key', $formKey->getFormKey());







                            share|improve this answer













                            Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3



                            Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X



                            Put it in the constructor of the Action.



                             // CsrfAwareAction Magento2.3 compatibility
                            if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
                            $request = $this->getRequest();
                            if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
                            $formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
                            $request->setParam('form_key', $formKey->getFormKey());








                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Feb 12 at 16:49









                            smartinsmartin

                            1267




                            1267





















                                0














                                Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class




                                This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.




                                di.xml



                                <?xml version="1.0"?>
                                <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
                                <type name="MagentoFrameworkAppRequestCsrfValidator">
                                <plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
                                </type>
                                </config>


                                CsrfValidatorSkip.php



                                <?php
                                namespace ModuleVendorPlugin;
                                class CsrfValidatorSkip

                                /**
                                * @param MagentoFrameworkAppRequestCsrfValidator $subject
                                * @param Closure $proceed
                                * @param MagentoFrameworkAppRequestInterface $request
                                * @param MagentoFrameworkAppActionInterface $action
                                */
                                public function aroundValidate(
                                $subject,
                                Closure $proceed,
                                $request,
                                $action
                                )
                                if ($request->getModuleName() == 'Your_Module_frontName_Here')
                                return; // Skip CSRF check

                                $proceed($request, $action); // Proceed Magento 2 core functionalities




                                Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.






                                share|improve this answer








                                New contributor




                                AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                Check out our Code of Conduct.
























                                  0














                                  Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class




                                  This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.




                                  di.xml



                                  <?xml version="1.0"?>
                                  <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
                                  <type name="MagentoFrameworkAppRequestCsrfValidator">
                                  <plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
                                  </type>
                                  </config>


                                  CsrfValidatorSkip.php



                                  <?php
                                  namespace ModuleVendorPlugin;
                                  class CsrfValidatorSkip

                                  /**
                                  * @param MagentoFrameworkAppRequestCsrfValidator $subject
                                  * @param Closure $proceed
                                  * @param MagentoFrameworkAppRequestInterface $request
                                  * @param MagentoFrameworkAppActionInterface $action
                                  */
                                  public function aroundValidate(
                                  $subject,
                                  Closure $proceed,
                                  $request,
                                  $action
                                  )
                                  if ($request->getModuleName() == 'Your_Module_frontName_Here')
                                  return; // Skip CSRF check

                                  $proceed($request, $action); // Proceed Magento 2 core functionalities




                                  Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.






                                  share|improve this answer








                                  New contributor




                                  AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                  Check out our Code of Conduct.






















                                    0












                                    0








                                    0







                                    Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class




                                    This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.




                                    di.xml



                                    <?xml version="1.0"?>
                                    <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
                                    <type name="MagentoFrameworkAppRequestCsrfValidator">
                                    <plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
                                    </type>
                                    </config>


                                    CsrfValidatorSkip.php



                                    <?php
                                    namespace ModuleVendorPlugin;
                                    class CsrfValidatorSkip

                                    /**
                                    * @param MagentoFrameworkAppRequestCsrfValidator $subject
                                    * @param Closure $proceed
                                    * @param MagentoFrameworkAppRequestInterface $request
                                    * @param MagentoFrameworkAppActionInterface $action
                                    */
                                    public function aroundValidate(
                                    $subject,
                                    Closure $proceed,
                                    $request,
                                    $action
                                    )
                                    if ($request->getModuleName() == 'Your_Module_frontName_Here')
                                    return; // Skip CSRF check

                                    $proceed($request, $action); // Proceed Magento 2 core functionalities




                                    Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.






                                    share|improve this answer








                                    New contributor




                                    AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.










                                    Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class




                                    This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.




                                    di.xml



                                    <?xml version="1.0"?>
                                    <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
                                    <type name="MagentoFrameworkAppRequestCsrfValidator">
                                    <plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
                                    </type>
                                    </config>


                                    CsrfValidatorSkip.php



                                    <?php
                                    namespace ModuleVendorPlugin;
                                    class CsrfValidatorSkip

                                    /**
                                    * @param MagentoFrameworkAppRequestCsrfValidator $subject
                                    * @param Closure $proceed
                                    * @param MagentoFrameworkAppRequestInterface $request
                                    * @param MagentoFrameworkAppActionInterface $action
                                    */
                                    public function aroundValidate(
                                    $subject,
                                    Closure $proceed,
                                    $request,
                                    $action
                                    )
                                    if ($request->getModuleName() == 'Your_Module_frontName_Here')
                                    return; // Skip CSRF check

                                    $proceed($request, $action); // Proceed Magento 2 core functionalities




                                    Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.







                                    share|improve this answer








                                    New contributor




                                    AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.









                                    share|improve this answer



                                    share|improve this answer






                                    New contributor




                                    AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.









                                    answered yesterday









                                    AnanthMage2AnanthMage2

                                    11




                                    11




                                    New contributor




                                    AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.





                                    New contributor





                                    AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.






                                    AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.



























                                        draft saved

                                        draft discarded
















































                                        Thanks for contributing an answer to Magento Stack Exchange!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid


                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.

                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function ()
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f253414%2fmagento-2-3-upgrade-breaks-http-post-requests-to-custom-module-endpoint%23new-answer', 'question_page');

                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Sum ergo cogito? 1 nng

                                        三茅街道4182Guuntc Dn precexpngmageondP