Skip to main content

CSRF troubleshooting

For general CRSF troubleshooting visit the Ory Identities documentation.

This document contains troubleshooting advice regarding CRSF and cookie errors specific to self-hosted Ory Identities Kratos.

Common issues

SameSite attribute

If you run Ory Kratos in --dev mode, it disables SameSite=Lax as Google Chrome rejects all cookies that have SameSite=Lax but have secure set to false. If you require SameSite=Lax, you need to run Ory Kratos with HTTPS and not use the --dev flag.

Running over HTTP without --dev mode

Ory Kratos' cookies have the Secure flag enabled by default. This means that the browser won't send the cookie unless the URL is a HTTPS URL. If you want Ory Kratos to work with HTTP (for example on localhost) you can add the --dev flag: kratos serve --dev.

Don't do this in production!

Running on separate (sub)domains

Cookies work best on the same domain. While it's possible to get cookies running on subdomains it isn't possible to do that across Top Level Domains (TLDs).

Make sure that your application (for example the Quickstart self service app ) and Ory Kratos Public API are available on the same domain - preferably without subdomains. Hosting both systems and routing paths with a Reverse Proxy such as Nginx or Envoy or AWS API Gateway is the best solution. For example, routing https://my-website/kratos/... to Ory Kratos and https://my-website/dashboard to the SecureApp's Dashboard. Alternatively you can use piping in your app as we do in the Quickstart guide.

We don't recommend running them on separate subdomains, such as and

To allow cookies to work across subdomains, make sure to set the domain name in the Kratos config file under session.cookie.domain.

Running the apps on different domains won't work at all, such as https://kratos-my-website/ and https://secureapp-my-website/.

Running the services on different ports is ok, if the domain stays the same.

Mixing up and localhost

Make sure that the domain stays the same. This is also true for and localhost which are both separate domains. Make sure that you use or localhost consistently across your configuration!