What’s changing?
Starting in Mattermost v11, the default value of the ExperimentalStrictCSRFEnforcement setting will be changed to true. This means strict CSRF token enforcement will be enabled by default for all API requests, including the Mattermost API and the Plugin API. The legacy X-Requested-With header fallback will still be supported but only when explicitly disabled by setting ExperimentalStrictCSRFEnforcement to false.
Why this matters / Why are we making this change?
- Gradually helps developers transition away from the legacy
X-Requested-Withheader and migrate to the modern CSRF token mechanism. - Strengthens security by aligning with industry best practices for CSRF protection.
- Prepares your environment for eventual removal of
X-Requested-Withheader support in a future release.
What do you need to do?
- Review your system configuration to ensure compatibility with
ExperimentalStrictCSRFEnforcementset totrue. - Update any custom integrations, plugins, or third-party applications that interact with the Mattermost API or Plugin API to use CSRF tokens if they still rely on
X-Requested-With. - Watch for warnings or logs generated for requests using the deprecated
X-Requested-Withheader and address them to prepare for future deprecation. - Test your applications thoroughly to ensure a smooth transition with these changes in v11.