CSRF troubleshooting
For general CRSF troubleshooting visit the CSRF troubleshooting.
This document contains troubleshooting advice regarding CRSF and cookie errors specific to self-hosted Ory Identities Kratos.
Common issues
SameSite attribute
If you run Ory Kratos in --dev
mode, it disables SameSite=Lax
as Google Chrome rejects all cookies that have SameSite=Lax
but have secure
set to false
. If you require SameSite=Lax
, you need to run Ory Kratos with HTTPS and not use the --dev
flag.
Running over HTTP without --dev
mode
Ory Kratos' cookies have the Secure
flag enabled by default. This means that the browser won't send the cookie unless the URL is
a HTTPS URL. If you want Ory Kratos to work with HTTP (for example on localhost) you can add the --dev
flag:
kratos serve --dev
.
Don't do this in production!
Running on separate (sub)domains
Cookies work best on the same domain. While it's possible to get cookies running on subdomains it isn't possible to do that across Top Level Domains (TLDs).
Make sure that your application (for example the Quickstart self service app ) and Ory Kratos Public API are available on the same
domain - preferably without subdomains. Hosting both systems and routing paths with a Reverse Proxy such as Nginx or Envoy or AWS
API Gateway is the best solution. For example, routing https://my-website/kratos/...
to Ory Kratos and
https://my-website/dashboard
to the SecureApp's Dashboard. Alternatively you can use piping in your app as we do in the
Quickstart guide.
We don't recommend running them on separate subdomains, such as https://kratos.my-website/
and https://secureapp.my-website/
.
To allow cookies to work across subdomains, make sure to set the domain name in the Kratos config file under
session.cookie.domain
.
Running the apps on different domains won't work at all, such as https://kratos-my-website/
and https://secureapp-my-website/
.
Running the services on different ports is ok, if the domain stays the same.
Mixing up 127.0.0.1 and localhost
Make sure that the domain stays the same. This is also true for 127.0.0.1
and localhost
which are both separate domains. Make
sure that you use 127.0.0.1
or localhost
consistently across your configuration!