Rewrite rule results in panel login failure

Hi Forum,

after I’ve set a rewrite rule inside the .htaccess to redirect www to non-www and HTTP to HTTPS I can’t access the panel anymore. The console says:

{status: "error", message: "Invalid CSRF token", key: "0", details: Array(0), code: 400}code: 400details: []key: "0"message: "Invalid CSRF token"status: "error"__proto__: Object

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

Is there any rule or setting I’ve to keep in mind when doing this?

Thanks in advance for any hints!

I usually do this stuff in the server config files (on a VPS). But that’s only possible if you can configure your server, not on shared hosting.

Where have you set the rules? They should go directly after RewriteEngine on. This is the solution suggested in Kirby secrets

RewriteCond %{HTTP_HOST} !=localhost
RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L,NE]

Yes, in this case the website is running on a shared hosting … unfortunately.
I just tested your suggestion but it still results in the same error. And the rules are directly RewriteEngine on

Have you deleted all session data in the browser after the rewrite stuff?

Yes I cleaned up all my session data from the last 24 hrs and even tried to login via my phone but still the same issue. My Kirby version is 3.0.2

Ok I think I’ve found the issue. I added some html security headers and they seem to block the login script. I guess I’ll need to add some exceptions?

Don’t know what security header you’re using… First I’d add one after the other again to isolate the one that causes the issue.