dosubot[bot] commented on issue #37930: URL: https://github.com/apache/superset/issues/37930#issuecomment-3890946815
<!-- Greeting --> Hi @Alejandroid17! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The CSRF error happens because Superset expects both the session cookie and the CSRF token to match for POST requests. Postman works because it keeps the session cookie and CSRF token in sync, but scripts can fail if the session cookie isn’t properly sent with the POST request. To fix this, make sure your script uses the same session cookie for both fetching the CSRF token and making the POST request. The requests.Session object should handle this, but sometimes headers or cookies get out of sync. Double-check that the session cookie is present in the POST request to `/api/v1/database/` and matches the one used to fetch the CSRF token. Also, ensure you’re not accidentally overwriting or dropping cookies between requests. If you’re still seeing the error, try printing the cookies before the POST request and compare them to what Postman sends. The session cookie must be included and valid for CSRF validation to succeed. More details on Superset’s CSRF handling are in the codebase: [config.py](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L191-L1716), [security/api.py](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py#L109-L135), and [views/base_api.py](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/base_api.py#L23-L531). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/4c41ef65-f47f-42ac-8402-1af688702082?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/4c41ef65-f47f-42ac-8402-1af688702082?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/4c41ef65-f47f-42ac-8402-1af688702082?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/4c41ef65-f47f-42ac-8402-1af688702082?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/4c41ef65-f47f-42ac-8402-1af688702082?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/4c41ef65-f47f-42ac-8402-1af688702082?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/4c41ef65-f47f-42ac-8402-1af688702082?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20CSRF%20error%20happens%20because%20Superset%20expects%20both%20the%20session%20cookie%20and%20the%20CSRF%20token%20to%20match%20for%20POST%20requests.%20Postman%20works%20because%20it%20keeps%20the%20session%20cookie%20and%20CSRF%20token%20in%20sync%2C%20but%20scripts%20can%20fail%20if%20the%20session%20cookie%20isn%E2%80%99t%20properly%20sent%20with%20the%20POST%20request.%0A%0ATo%20fix%20this%2C%20make%20sure%20your%20script%20uses%20the%20same%20session%20cookie%20for%20both%20fetching%20the%20CSRF%20token%20and%20making%20the%20POST%20request.%20The%20requests.Session%20object%20should%20handle%20this%2C%20but%20sometimes%20headers%20or%20cookies%20get%20out%20of%20sync.%20Double-check%20that%20the%20session%20cookie%20is%20present%20in%2 0the%20POST%20request%20to%20%60/api/v1/database/%60%20and%20matches%20the%20one%20used%20to%20fetch%20the%20CSRF%20token.%20Also%2C%20ensure%20you%E2%80%99re%20not%20accidentally%20overwriting%20or%20dropping%20cookies%20between%20requests.%0A%0AIf%20you%E2%80%99re%20still%20seeing%20the%20error%2C%20try%20printing%20the%20cookies%20before%20the%20POST%20request%20and%20compare%20them%20to%20what%20Postman%20sends.%20The%20session%20cookie%20must%20be%20included%20and%20valid%20for%20CSRF%20validation%20to%20succeed.%20More%20details%20on%20Superset%E2%80%99s%20CSRF%20handling%20are%20in%20the%20codebase%3A%20%5Bconfig.py%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py%23L191-L1716%29%2C%20%5Bsecurity/api.py%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py%23L109-L135%29%2C%20and%20%5Bviews/base_api.py%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91c eae4b43b1ed3b063ffe45377799c/superset/views/base_api.py%23L23-L531%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37930) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
