Error Encyclopedia

CSRF Token Mismatch Error

Fix 'CSRF token mismatch' errors in web forms and APIs. Learn how CSRF protection works and how to properly include tokens in requests.

What Does This Error Mean?

The 'CSRF token mismatch' error occurs when a form or request includes a CSRF (Cross-Site Request Forgery) protection token that does not match what the server expects. This security mechanism prevents malicious websites from making unauthorized requests on behalf of authenticated users.

Common Causes

1

Session expired and the CSRF token is no longer valid

2

Form was loaded from a cached page with an old token

3

Multiple browser tabs sharing the same session with different tokens

4

AJAX request did not include the CSRF token header

5

Token was regenerated between page load and form submission

6

SameSite cookie settings interfering with CSRF token flow

How to Fix It

Include CSRF token in every state-changing request

Ensure all POST, PUT, DELETE, and PATCH requests include the CSRF token.

// HTML form: include token as hidden field
<form method="POST">
  <input type="hidden" name="_csrf" value="{{csrfToken}}">
  <input type="text" name="email">
  <button type="submit">Submit</button>
</form>

// AJAX: include as header
fetch("/api/update", {
  method: "POST",
  headers: {
    "X-CSRF-Token": csrfToken,
    "Content-Type": "application/json"
  },
  body: JSON.stringify(data)
})

Refresh token on page load

Ensure the CSRF token is freshly loaded with each page request, not served from cache.

// Express.js: generate token per session
app.get("/form", (req, res) => {
  res.render("form", {
    csrfToken: req.csrfToken()
  })
})

// Disable form caching with headers
res.set("Cache-Control", "no-store, no-cache, must-revalidate")

Handle token regeneration

Some frameworks regenerate the CSRF token on each request. Adjust your client logic accordingly.

// Extract new token from response headers
fetch("/api/data", {
  method: "POST",
  headers: { "X-CSRF-Token": currentToken }
}).then(res => {
  // Update token from response header
  const newToken = res.headers.get("X-CSRF-Token")
  if (newToken) localStorage.setItem("csrfToken", newToken)
})

Related Tools

Use these tools to debug and fix this error:

JWT Generator

Generate signed JWT tokens for testing with custom headers and payloads.

Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text.

Password Generator

Generate strong, secure random passwords with customizable options.

Related Errors

Other common errors in this category:

JWT Malformed Error

Fix 'jwt malformed' errors when decoding or verifying JWT tokens. Learn the correct JWT format and how to debug invalid tokens.

JWT Token Expired Error

Fix 'jwt expired' errors. Learn how JWT expiration works, how to check the exp claim, and implement token refresh flows.

JWT Invalid Signature Error

Fix 'invalid signature' JWT errors. Learn how JWT signatures work, why they fail, and how to use the correct secret key.

Frequently Asked Questions

Is CSRF protection still needed with SameSite cookies?

SameSite cookies help prevent CSRF but are not a complete solution. CSRF tokens are still recommended as defense in depth, especially for older browsers that don't support SameSite.

Should I use CSRF tokens with JWT authentication?

If you store JWT tokens in cookies (not recommended), you need CSRF protection. If you store JWT in localStorage and send via Authorization header, CSRF is not needed since the browser won't automatically include the header.

Browse All Error Guides