Ory Kratos does not provide a documented way to fully disable CSRF protection, even in development mode. CSRF protection is a core security feature and is enforced to prevent serious vulnerabilities such as account takeover and data leaks. However, for local development, you can make CSRF handling less strict by running Kratos in

--dev

mode. This relaxes some cookie security settings (like

SameSite

and

Secure

flags) to make local development easier, but it does not disable CSRF protection itself. You will still need to include the CSRF token in your requests as required by the flow—either in the request body (

csrf_token

) or in the

X-CSRF-Token

header for non-form requests. If you omit the CSRF token, Kratos will continue to reject the request, even in development mode. This is by design and cannot be turned off via configuration or flags according to the available documentation and discussions. If you are running into CSRF errors during development, ensure that: - You are consistently forwarding cookies between your frontend and Kratos. - The CSRF token from the flow is included in your request body or header as required. - You are not mixing up domains (e.g.,

localhost

vs.

127.0.0.1

), as cookies are domain-specific. - You clear cookies if you suspect a mismatch or stale state. For more details, see: - [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf) - [CSRF debugging in Kratos](https://www.ory.sh/docs/kratos/debug/csrf) - [Security model](https://www.ory.sh/docs/security-model) Summary: You cannot disable CSRF protection in Ory Kratos, even in development mode. You must include the CSRF token as required by the flow to avoid these errors. If you are having trouble, double-check your request handling and cookie forwarding logic as described above.