{"id":916,"date":"2020-04-04T13:03:39","date_gmt":"2020-04-04T13:03:39","guid":{"rendered":"https:\/\/meetanshi.com\/blog\/2020\/04\/04\/bypass-csrf-validation-for-certain-requests-in-magento-2\/"},"modified":"2025-05-22T14:37:23","modified_gmt":"2025-05-22T09:07:23","slug":"bypass-csrf-validation-for-certain-requests-in-magento-2","status":"publish","type":"post","link":"https:\/\/meetanshi.com\/blog\/bypass-csrf-validation-for-certain-requests-in-magento-2\/","title":{"rendered":"How To Bypass CSRF Validation For Certain Requests In Magento 2"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">As per the&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" target=\"_blank\" rel=\"noreferrer noopener\">Wikipedia<\/a>,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cross-site request forgery, also known as one-click attack or&nbsp;session riding&nbsp;or XSRF, is a type of malicious&nbsp;exploit&nbsp;of a&nbsp;website&nbsp;where unauthorized commands are transmitted from a&nbsp;user&nbsp;that the web application trusts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In simpler terms, a user is tricked into submitting a web request that they did not want to, in a CSRF attack.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Magento 2 allows the protection against CSRF attacks for security purpose. However, there are certain scenarios where one needs to bypass CSRF validation for certain requests in Magento 2.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For example, I had to implement a feature where the user is redirected to the home page after successful payment in a custom payment method. But the issue was, \u201cInvalid Form Key\u201d error.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This error occurs when the CSRF token has either expired, or the token was incorrectly implemented. In order to&nbsp;<a href=\"https:\/\/meetanshi.com\/blog\/invalid-form-key-please-refresh-the-page-in-magento-2\/\">solve the \u201cInvalid form key\u201d error<\/a>, follow the below method:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Method to bypass CSRF validation for certain requests in Magento 2:<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">&lt;?php\n\nnamespace Vendor\\Extension\\Controller\\Checkout;\n\nuse Magento\\Framework\\App\\Action;\nuse Magento\\Framework\\App\\CsrfAwareActionInterface;\nuse Magento\\Framework\\App\\Request\\InvalidRequestException;\nuse Magento\\Framework\\App\\RequestInterface;\n\nclass Response extends Action\\Action implements CsrfAwareActionInterface\n{\n    public function __construct(\n        Action\\Context $context,\n    )\n    {\n        parent::__construct($context);\n    }\n    \n    public function execute()\n    {\n        \n    }\n\n    public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException\n    {\n        return null;\n    }\n\n    public function validateForCsrf(RequestInterface $request): ?bool\n    {\n        return true;\n    }\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Do share the solution with Magento community via social media.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thanks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As per the&nbsp;Wikipedia, Cross-site request forgery, also known as one-click attack or&nbsp;session riding&nbsp;or XSRF, is a type of malicious&nbsp;exploit&nbsp;of a&nbsp;website&nbsp;where unauthorized commands are transmitted from&#8230;<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[34],"tags":[],"class_list":["post-916","post","type-post","status-publish","format-standard","hentry","category-magento"],"acf":[],"_links":{"self":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/comments?post=916"}],"version-history":[{"count":3,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/916\/revisions"}],"predecessor-version":[{"id":14989,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/916\/revisions\/14989"}],"wp:attachment":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/media?parent=916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/categories?post=916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/tags?post=916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}