You are currently reviewing an older revision of this page.

There is no valid CSRF token in this request


When navigating throughout an Appian environment using Apache as a web server, users may see the following error in the application server log:

WARN - There is no valid CSRF token in this request [URI=/suite/framework/backgroundAction.none]


Appan uses CSRF cookies that need to be accessible via JavaScript. Users may see the error if their Apache web server has been configured to set all cookies to HttpOnly due to security policies of their organization. If so, the CSRF cookies don't work.


In the httpd.conf file, change the Set-Cookie configuration to allow for a RegEx that excludes the CSRF tokens. The names of the CSRF tokens are _appianCsrfToken and _appianMultipartCsrfToken. Please consult your web server admins for additional information.

Affected Versions

This article applies to all versions of Appian using Apache as a web server.

Last Reviewed: May 2018