POST to /splunkd/__raw endpoint returns CSRF validation failed

louisjannett — Fri, 25 May 2018 07:20:23 GMT

Hello,

I have a confusing issue with the Splunk endpoint POST method execution. Every time I'm trying to send a GET request to my custom endpoint, everything works as expected. But when I am sending a POST request with the identical parameters and Cookies, the API returns a 401 status code and says: "Splunk cannot authenticate the request. CSRF validation failed.". I have no clue why this happens because the CSRF Token in the request is still the same token as the token in the GET request. Moreover the response of the GET request returns the identical CSRF cookie which is afterwards used again by the POST method.

Using the API over the management port on 8089 works perfectly fine with GET and POST requests. This happens just with the /splunkd/__raw webservice endpoint.

Does anyone have an idea about what is causing this error?
Thanks in advance!

Request:

POST /en-GB/splunkd/__raw/services/test_endpoint HTTP/1.1
Host: localhost:8000
Content-Length: 10
Origin: http://localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: http://localhost:8000/en-GB/splunkd/__raw/services/test_endpoint?payload=Hello
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: splunkweb_csrf_token_8000=XXX; session_id_8000=XXX; token_key=XXX; experience_id=XXX; splunkd_8000=XXX
Connection: close

Hello POST

Response:

HTTP/1.1 401 Splunk cannot authenticate the request. CSRF validation failed.
Date: Fri, 25 May 2018 07:02:13 GMT
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 181
Vary: Cookie
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Splunk cannot authenticate the request. CSRF validation failed.</msg>
  </messages>
</response>

Re: POST to /splunkd/__raw endpoint returns CSRF validation failed

sjodle — Mon, 04 Jun 2018 17:46:13 GMT

When logged into the Splunk Web GUI, Splunk sets a cookie called token_key.

When POSTing, PATCHing, DELETEing, etc. to a custom endpoint, you need to pass this token back by including the following headers in your request:

X-Requested-With = XMLHttpRequest
X-Splunk-Form-Key = <the value of the token_key cookie>

This isn't documented anywhere, as far as I could tell.

Re: POST to /splunkd/__raw endpoint returns CSRF validation failed

badarsebard — Fri, 10 Jul 2020 01:01:47 GMT

Thank you so much this was driving me crazy!

Re: POST to /splunkd/__raw endpoint returns CSRF validation failed

amirul_alif — Fri, 28 Mar 2025 04:15:17 GMT

🚀 This solution still works in 2025! — rock solid.

topic Re: POST to /splunkd/__raw endpoint returns CSRF validation failed in Monitoring Splunk

POST to /splunkd/__raw endpoint returns CSRF validation failed

Re: POST to /splunkd/__raw endpoint returns CSRF validation failed

Re: POST to /splunkd/__raw endpoint returns CSRF validation failed

Re: POST to /splunkd/__raw endpoint returns CSRF validation failed