Choose your language

Choose your login


CSRF validation error



CSRF validation configs have moved as of PaperCut 23.0.8

From PaperCut 23.0.8 on, the config keys related to CSRF validation have moved. Now are they called security.csrf-check.validate-request-origin and security.csrf-check.deny-unknown-origin respectively, under the path of [app-path]/server/ They continue to function much like their predecessors.

Note the first words of the config keys are now security, instead of server.

A further third config key has also been added as part of this change. It is security.csrf-check.allowed-domain-list. This is to accommodate the need to have general CSRF validations on while allowing specific domains to send POST requests to your PaperCut server.

You may add semicolon (";") separated values as a single string to cover the domains you would like to allow POST requests to come through. PaperCut will allow requests from domains that end with the entire length of at least one of the semicolon separated values. This can be useful for servers that run payment gateways.

The values inside this string can be used to allow POST backs from defined domains if:

  1. The domain where the POST request originates from ends with your defined value. E.g. “ ends with ”, so if you add “ ” to the security.csrf-check.allowed-domain-list, any POST requests from domain “ ” will be allowed through. If you need to add multiple values, you may do something like “ ; ”; AND

  2. The defined “allowed domain” value has at least 5 characters. E.g. “.com” will be considered too short because it only has 4 characters. In the interest of your security, be as specific as possible. For example, “ ” is better than “ ”, although both are permitted. This rule applies to each part that is separated by the semicolon(s). Any part that is shorter than 5 characters will not take effect; AND

  3. The domains added to the file do not support wild card expressions such as *.


Past History

PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with OWASP recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF (Cross Site Request Forgery) validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site’s proxy configuration and the way it was configured to handle host header overrides).

This has been resolved in PaperCut 17.3.4, only for sites using a standard proxy server configuration to redirect users to new pages (i.e. sites using the server.force-host-header in the file, to configure the proxy to override host headers).

However, this issue will continue to persist for sites using a non-standard reverse proxy server configuration to redirect users to new pages (i.e. sites using a proxy running in FRONT of PaperCut, to override host headers).

Depending on a site’s proxy configuration and the version of PaperCut being run, the following resolutions may apply:

Any site with any proxy server configuration, running PaperCut 17.3.0 or above but below 23.0.8:

Disable the CSRF security enhancement:

  1. In a text editor, open [app-path]/server/
  2. Either, search for and find the line: server.csrf-check.validate-request-origin, or add a new line: server.csrf-check.validate-request-origin
  3. Set server.csrf-check.validate-request-origin to N.
  4. Restart the service PaperCut Application Server.

Note: When editing an existing setting, please remove the leading # character.

Sites with a non-standard reverse proxy server configuration, running PaperCut 17.3.0 or above:

(i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)

  • Update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header
  • upgrade to PaperCut 17.3.4 (or above)


  • update the infrastructure so it doesn’t require host header overrides.

Other known issues:

Requests to the PaperCut server will fail CSRF validation if the host name contains an underscore (“_”). This is due to a known JRE bug. 

Categories: Troubleshooting Articles , Security and Privacy

Keywords: CSRF validation error


Last updated June 13, 2024