What’s changing?
Starting in Mattermost v11, the ExperimentalStrictCSRFEnforcement setting will be renamed to StrictCSRFEnforcement and the default value will be changed to true for new installations. This means strict CSRF token enforcement will be enabled by default for all API requests, including the Mattermost API and the Plugin API. The legacy X-Requested-With header fallback will still be supported but only when explicitly disabled by setting StrictCSRFEnforcement to false.
Why this matters / Why are we making this change?
- Gradually helps developers transition away from the legacy
X-Requested-Withheader and migrate to the modern CSRF token mechanism. - Strengthens security by aligning with industry best practices for CSRF protection.
- Prepares your environment for eventual removal of
X-Requested-Withheader support in a future release.
What do you need to do?
- Review your system configuration to ensure compatibility with
StrictCSRFEnforcementset totrue. - Update any custom integrations, plugins, or third-party applications that interact with the Mattermost API or Plugin API to use CSRF tokens if they still rely on
X-Requested-With. - Watch for warnings or logs generated for requests using the deprecated
X-Requested-Withheader and address them to prepare for future deprecation. - Test your applications thoroughly to ensure a smooth transition with these changes in v11.