When you submit a form in Mastodon, such as logging in, posting a status, or changing settings, you might see the error CSRF Token Mismatch. This error means the security token that verifies your browser session did not match what the server expected. The cause is usually a stale or missing session cookie, a browser extension that blocks or modifies requests, or a misconfigured reverse proxy that strips the token. This article explains why the mismatch occurs and provides step-by-step fixes for the most common scenarios.
Key Takeaways: Fixing the CSRF Token Mismatch Error in Mastodon
- Clear browser cookies and cache: Removes stale session data that causes token mismatch on form submit.
- Disable browser extensions: Extensions that block or modify cookies can prevent the CSRF token from being sent correctly.
- Check reverse proxy configuration (self-hosted instances): Ensure Nginx or Apache does not strip or alter the
_csrf_tokencookie.
Why Mastodon Throws a CSRF Token Mismatch Error
Cross-Site Request Forgery (CSRF) protection is a security feature built into Mastodon. Every form includes a hidden token that the server generates and stores in a session cookie. When you submit the form, the browser sends both the token and the cookie. The server compares them. If they do not match, Mastodon rejects the request with the CSRF Token Mismatch error.
The mismatch occurs in three main scenarios:
- Stale session: Your browser still has an old session cookie from a previous visit, but the server has regenerated the token. This often happens after a server restart or a long idle period.
- Third-party interference: Browser extensions that block cookies, modify headers, or clear session data can strip the CSRF cookie before the form is submitted.
- Reverse proxy misconfiguration: If you run a self-hosted Mastodon instance behind Nginx or Apache, the proxy might strip or rewrite the
_csrf_tokencookie, preventing the server from validating it.
Steps to Clear Your Browser Session and Fix the Error
The fastest fix is to clear the session cookie for your Mastodon instance. This forces the browser to request a new CSRF token.
- Open your browser’s developer tools.
Press F12 (Windows) or Cmd+Option+I (Mac) to open DevTools. Click the Application tab (Chrome/Edge) or Storage tab (Firefox). - Locate the cookies for your Mastodon instance.
In the left sidebar, expand Cookies and select the domain of your Mastodon instance (for example,mastodon.social). - Delete the session cookie.
Find the cookie named_mastodon_sessionor_csrf_token. Right-click it and choose Delete. If you are unsure which cookie to remove, delete all cookies for that domain. - Reload the Mastodon page.
Press Ctrl+R (Windows) or Cmd+R (Mac) to refresh. The browser will request a new session and a fresh CSRF token. Try submitting the form again.
If Clearing Cookies Does Not Work: Clear Full Browser Cache
Sometimes cached page assets can interfere with form submission. Clear the full cache for your Mastodon instance.
- Open your browser’s clear browsing data dialog.
Press Ctrl+Shift+Delete (Windows) or Cmd+Shift+Delete (Mac). - Select a time range.
Choose All time to ensure no stale data remains. - Check the boxes for Cookies and Cached images/files.
Uncheck other items like passwords or autofill data unless you want to clear those too. - Click Clear data.
Reload Mastodon and test the form again.
If the Error Persists: Disable Browser Extensions
Extensions that manage cookies, block trackers, or enforce strict privacy settings can remove or alter the CSRF cookie. Test with extensions disabled.
- Open your browser’s extension management page.
In Chrome, typechrome://extensionsin the address bar. In Firefox, typeabout:addons. In Edge, typeedge://extensions. - Disable all extensions.
Toggle each extension off. Alternatively, use a browser profile with no extensions installed. - Restart your browser and test Mastodon.
Open Mastodon in the same window and submit the form that previously failed. If the error disappears, re-enable extensions one by one to identify the culprit.
Common Extensions That Cause CSRF Token Mismatch
- Privacy Badger or uBlock Origin in strict mode: These can block the cookie set by Mastodon.
- Cookie Auto-Delete or Self-Destructing Cookies: These clear session cookies too early, before the form is submitted.
- NoScript or ScriptSafe: These may block JavaScript that generates the CSRF token.
Fix for Self-Hosted Mastodon Instances: Check Reverse Proxy Configuration
If you run your own Mastodon instance behind a reverse proxy like Nginx or Apache, the proxy might strip or alter the _csrf_token cookie. This is the most common cause for server administrators.
Nginx Configuration Fix
Ensure your Nginx configuration does not override the Set-Cookie header. Add or verify these lines inside the location / block:
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; Secure; HttpOnly";
The proxy_cookie_path directive must not strip the _csrf_token cookie. If you use a custom path, ensure the cookie domain matches your Mastodon instance domain exactly.
Apache Configuration Fix
In your Apache virtual host, enable the mod_proxy and mod_proxy_http modules. Add this directive to preserve cookies:
ProxyPass / http://localhost:3000/ ProxyPassReverse / http://localhost:3000/ ProxyPreserveHost On Header always edit Set-Cookie ^(.)$ $1;Secure;HttpOnly
Do not use Header unset Set-Cookie or RequestHeader unset Cookie anywhere in your configuration. These commands remove the CSRF token.
If Mastodon Still Shows the CSRF Error After All Fixes
Error Persists in a Private or Incognito Window
If the error occurs in a private window, the browser might have third-party cookie blocking enabled by default. In Chrome, go to Settings > Privacy and security > Third-party cookies and set it to Allow all cookies for the Mastodon domain. In Firefox, check Settings > Privacy & Security > Enhanced Tracking Protection and add your Mastodon instance to the exceptions list.
Error Occurs Only on One Specific Form
If only one form, such as the login form, fails while others work, the form might be cached. Open the form page with a hard refresh: press Ctrl+F5 (Windows) or Cmd+Shift+R (Mac). If the error continues, check the browser console for JavaScript errors that might prevent the CSRF token from being injected into the form.
Error Appears After a Mastodon Server Upgrade
After an upgrade, the server might have changed the cookie name or the token generation method. Clear all cookies for the Mastodon domain and restart the browser. If the error remains, contact the instance administrator or, for self-hosted instances, review the Mastodon changelog for CSRF-related changes.
| Item | Clearing Browser Session | Disabling Extensions | Reverse Proxy Fix |
|---|---|---|---|
| Description | Deletes stale cookies and cached files that cause token mismatch | Removes third-party tools that block or alter the CSRF cookie | Corrects Nginx or Apache settings that strip the CSRF cookie |
| Best for | All users, especially after server restart or idle period | Users with privacy or cookie-management extensions | Self-hosted instance administrators |
| Time to apply | 1-2 minutes | 2-5 minutes | 10-30 minutes |
| Requires | Browser access only | Browser extension management | Server SSH access and config file editing |
The CSRF Token Mismatch error in Mastodon is almost always a session or cookie issue. Start by clearing your browser cookies and cache. If that does not work, disable browser extensions and test again. For self-hosted instance owners, verify that your reverse proxy is not stripping the _csrf_token cookie. After applying the correct fix, the form should submit without errors. As a preventive step, consider adding your Mastodon instance to your browser’s cookie exceptions list to avoid future token mismatches.