ActionController::InvalidAuthenticityToken and Nginx

Nontrivial case

Posted on 2017-11-02 23:11:01

Today I faced and interesting issue with my production app. Locally everything worked excellent, but at production on form submit we received invalid CSRF error. Authenticity token was present at form params, so the most obvious reasons were not applicable.

After some googleing and stackoverflowing, I found one theory - missing X-Forwarded-Proto header.

The root of the problem was that we have HTTPS configured at nginx, and we have forgotten to add this header to required nginx config location. Without this header Rails is unable to check CSRF token authenticity correctly.

I’ll dig into this area deeper and will write a separate post about this Rails mechanism. But for now - don’t forget about this header, guys.