Invalid CSRF Token on Hepburn Theme Panel Installation


I am trying to install Kirby via the Hepburn theme. When I try to create the panel, I receive the “Invalid CSRF token” error message.

I have deleted all cookies from both Safari and Chrome, quit and restarted, and tried to navigate directly to my panel, but the error keeps popping up.

I’m not going to lie, I am a novice, but I can dig and change some lines of code here and there.

Any help would be appreciated.


Did you install it locally or on a remote server? Does it only happen with the theme or also with the Starterkit?

Does the cookie get set correctly (check your browsers network tab)?

I installed it on a remote server.

Also, I going to have to plead ignorance on checking my browsers network tab. I do not know what that means. Forgive me.

Could you provide the URL to your installation? You can send me a PM if you don’t want to post it publicly.

I’m sorry. It did not happen with the starter kit. Only with the theme. I originally installed the Starterkit to test out Kirby, and I was able to install and create my panel without a problem.

Ok, the CSRF-token is indeed undefined and the set-cookie header is not sent.

Could you check if there is maybe an empty line at the top of index.php or the site/config/config.php?

Ah, the developer of the theme is going to answer…

I was about too but u beat me to it … :slight_smile:

There is no blank line in the config (atleast not in the distributed files)

I just checked both files, and there is no empty line at the top of either.

Wait a minute… i know what is causing this… give me a sec…

Ok @jdominici remove the first 4 lines of the .htacess file.

# Kirby .htaccess
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Its too strict.

Will do.

Ive hit this myself, it’s one of the content-security-policy rules in the .htaccess. I generall tune this after installing the panel, and past that point, its not an issue. So once you have a panel account, you can put those lines back.

OK, so i deleted those lines, cleared history and cookies from Safari, quit Safari, relaunched, nevigated directly to panel, and still received the error. Same in Chrome.

OK also remove lines 304 - 316…

<IfModule mod_headers.c>

Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
        Header unset Content-Security-Policy


It pains me to say, still no luck. I am so sorry for troubling you.

The easy way to fix would be to use the .htacess from the stater kit but the one included with the theme has been tuned for speed and performance.

OK. I will use the one from the starter kit.

Removing those two sections worked for me on my own server. But every server is different i guess…

@texnixe Do you have any idea why that rule would block panel installs?