Server config causing CSRF triggers

The CSRF token is only verified when

1. $config['csrf_protection'] = TRUE; in config.php
   
2. The server method is POST
   

Does your hardening turns every GET into a POST?

If the request is not POST, then the 403 errors are due to some reason other than CSRF.

When POSTing, the CSRF token_name/token_hash needs to be part of the posted data.

Thanks for the reply.  The request is indeed POST.  I looked through my configuration and I don't see anything indicating GET requests are being turned into POST.  I've attached redacted versions of my php.ini, httpd.conf and httpd-ssl.conf.  Perhaps someone can see something that I'm missing.

I wish I could view more of the output of CSRF, such as a verbose log of what exactly it's hanging up on.

Attached Files

  httpd.txt (Size: 14.33 KB / Downloads: 39)
  httpd-ssl.txt (Size: 2.24 KB / Downloads: 30)
  php.txt (Size: 6.78 KB / Downloads: 28)