How to fix a 400 Bad Request in Craft CMS

Oscar de la Hera Gomez
A flower that represents Craft CMS. Beneath it sits the text "400 Bad Request."

Either disable CSRF protection for your entire project or disable CSRF protection the specific controller action.

When making calls to actions or API built with Craft CMS, you might encounter a 400 Bad Request with a BadRequestHttpException: Unable to verify your data submission. To fix this do one of the following:

Set the enableCsrfValidation to false for the specific controller action

A screenshot showing how to set CSRF validation to false for a specific controller action in Craft CMS. The sample code that is highlighted in this screenshot can be found below.

Open the controller action that requires CSRF protection and in the beforeAction function, disable the CSRF validation using code similar to the one below.

This is recommended as it removes protection only in places where its needed. Enhancing the overall level of protection.

Disable CSRF Protection for the entire project

A screenshot of the general.php, with the CSRF Protection removed for the entire Craft CMS project. Sample code of what we used to do this is found below.

Open your general.php file found in config/general.php and add the following line:


This is not the recommended route as. this will disable CSRF protection for your entire Craft CMS, which raises security vulnerabilities.

Any Questions?

We are actively looking for feedback on how to improve this resource. Please send us a note to with any thoughts or feedback you may have.

delasign logo

Book a Free Consultation.

An icon of an email.

Click here to email us.

Fill in the details below to book a free consultation or to let us know about something else. Whatever it is, we are here to help.

How can we help you ?

Contact Details