For general CRSF troubleshooting visit the Ory Identities documentation.
This document contains troubleshooting advice regarding CRSF and cookie errors specific to self-hosted Ory Identities Kratos.
If you run Ory Kratos in
--dev mode, it disables
SameSite=Lax as Google Chrome rejects all cookies that have
secure set to
false. If you require
SameSite=Lax, you need to run Ory Kratos with HTTPS and not use the
Running over HTTP without
Ory Kratos' cookies have the
Secure flag enabled by default. This means that the browser won't send the cookie unless the URL is
a HTTPS URL. If you want Ory Kratos to work with HTTP (for example on localhost) you can add the
kratos serve --dev.
Don't do this in production!
Running on separate (sub)domains
Cookies work best on the same domain. While it's possible to get cookies running on subdomains it isn't possible to do that across Top Level Domains (TLDs).
Make sure that your application (for example the Quickstart self service app ) and Ory Kratos Public API are available on the same
domain - preferably without subdomains. Hosting both systems and routing paths with a Reverse Proxy such as Nginx or Envoy or AWS
API Gateway is the best solution. For example, routing
https://my-website/kratos/... to Ory Kratos and
https://my-website/dashboard to the SecureApp's Dashboard. Alternatively you can use piping in your app as we do in the
We don't recommend running them on separate subdomains, such as
To allow cookies to work across subdomains, make sure to set the domain name in the Kratos config file under
Running the apps on different domains won't work at all, such as
Running the services on different ports is ok, if the domain stays the same.
Mixing up 127.0.0.1 and localhost
Make sure that the domain stays the same. This is also true for
localhost which are both separate domains. Make
sure that you use
localhost consistently across your configuration!