Any idea what was wrong?

@chilly-king-10285 Hi! I'm trying to send a request to get registration flow and getting a CSRF error. Any idea what was wrong?

GET <http://localhost:4433/self-service/registration/flows?id=d75cfa4a-ad53-457b-9363-ef50c8c7ec36>

Cookie: csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=SEEeygvz/irZjcw048Il4uKd/UPCo9/lErll5AlO4Z4=

{
    "error": {
        "id": "security_csrf_violation",
        "code": 403,
        "status": "Forbidden",
        "reason": "Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
        "details": {
            "docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
            "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
            "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
        },
        "message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
    }
}

I can see you're encountering a CSRF (Cross-Site Request Forgery) error when trying to get a registration flow. Let me explain what's happening and how to fix it. ## The Issue The error message indicates that while you have the anti-CSRF cookie in your request, you're missing the CSRF token in either the request body or the X-CSRF-Token header. Ory Kratos uses a synchronizer token pattern for CSRF protection, which requires both the cookie and a matching token to be present. ## How to Fix It For GET requests like

/self-service/registration/flows

, you need to include the CSRF token in the

X-CSRF-Token

header. The value for this header should be the same as the value in your anti-CSRF cookie. Based on your error message:

hint: "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token)."

You need to add the

X-CSRF-Token

header to your request with the value from your cookie:

X-CSRF-Token: SEEeygvz/irZjcw048Il4uKd/UPCo9/lErll5AlO4Z4=

This is particularly important for browser flows, which expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header [CSRF Troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf). ## Important Notes 1. The token value you send in the header or body must match the one from the API response of the flow creation, not just any value from the cookie [GitHub Discussion](https://github.com/ory/kratos/discussions/4307). 2. For server-side applications, make sure to forward the Cookie header from the client when fetching self-service flows:

js    client.getRegistrationFlow({ id: flowId, cookie: req.header("cookie") })

3. If you continue to have issues, you might need to clear all cookies for the domain and retry the flow as suggested in the error message. For more detailed information on CSRF protection in Ory Kratos, check out the [CSRF Troubleshooting Guide](https://www.ory.sh/docs/kratos/debug/csrf).