CSRF request rejected (token-missing-cookie). Help needed please.

[badaz]

Hi, I've been trying to upgrade sortarr from 0.8.0 (which was configured and running fine) to 0.8.5.1 and I'm stuck at the setup page where it says:

Security update required: finish Setup to save a persistent Session secret key and required Basic Auth credentials before continuing to the app.

Sortarr, radarr, sonarr and jellystat are all running on my synology NAS, each have their own docker compose file, sharing the same docker network.

Sortarr, radarr, sonarr and jellystat are only reachable from my LAN through direct IP and port or local domain names ending with .nas.lan (sortarr.nas.lan, radarr.nas.lan, sonarr.nas.lan). No remote access.

The .nas.lan domain names are resolved to my NAS IP using dnsmasq on my router.

I use the synology DSM integrated reverse proxy (nginx) with no extra config to redirect local .nas.lan domains to the right ports on the nas (all using http + access control to restrict to LAN addresses)

Here is the latest sortarr compose file I have been using (after many trials and errors) :

services:
  sortarr:
    image: ghcr.io/jaredharper1/sortarr:0.8.5.1
    # Optional: set platform (e.g., linux/arm64/v8 for Apple Silicon).
    # platform: linux/arm64/v8    
    container_name: sortarr
    ports:
      - 9595:8787
    environment:
      - SORTARR_CONFIG_PATH=/data/Sortarr.env
      - CACHE_SECONDS=300
      # Optional: Use Reverse Proxy? ie. NGINX, Cloudflare, Caddy, Traefik, Apache? Use this:
      # eg. SORTARR_PROXY_HOPS=1
      # Optional: Map container paths to host paths for the UI
      # eg. RADARR_PATH_MAP=/movies:/mnt/media/movies
      - SORTARR_PROXY_MODE=single
      - SORTARR_CSRF_TRUSTED_ORIGINS=http://sortarr.nas.lan
      - PUID=1026
      - PGID=101
      - TZ=Europe/Paris
      - SONARR_URL=http://sonarr:8989
      - RADARR_URL=http://radarr:7878
      - RADARR_API_KEY_FILE=/data/secrets/radarr_api_key.secret
      - SONARR_API_KEY_FILE=/data/secrets/sonarr_api_key.secret
      - JELLYSTAT_API_KEY_FILE=/data/secrets/jellystat_api_key.secret
      # - RADARR_PATH_MAP=/data/movies:/mnt/media/movies
      # - SONARR_PATH_MAP=/data/series:/mnt/media/series
    volumes:
      - ./data:/data
      - /volume1/media:/data
      # Optional: Mount .env for persistence if using default paths
      # eg. /path/to/config/.env:/app/.env    
    restart: unless-stopped
    networks:
      - jellyfin

networks:
  jellyfin:
    name: jellyfin-ls_default
    external: true

When trying to save updated settings, I get this error in the server logs:
2026-03-15 08:14:43,792 WARNING sortarr: CSRF request rejected at 2026-03-15T07:14:43Z:

{
    "extra": {
        "csrf_valid": false
    },
    "headers": {
        "Host": "sortarr.nas.lan",
        "Origin": "http://sortarr.nas.lan",
        "Referer": "http://sortarr.nas.lan/setup?<redacted>",
        "X-Forwarded-For": "192.168.2.109",
        "X-Forwarded-Host": "",
        "X-Forwarded-Port": "",
        "X-Forwarded-Prefix": "",
        "X-Forwarded-Proto": "http"
    },
    "host": "sortarr.nas.lan",
    "host_url": "http://sortarr.nas.lan/",
    "is_secure": false,
    "method": "POST",
    "path": "/setup",
    "proxy_fix": {
        "x_for": 1,
        "x_host": 1,
        "x_port": 1,
        "x_prefix": 0,
        "x_proto": 1
    },
    "reason": "token-missing-cookie",
    "remote_addr": "192.168.2.109",
    "scheme": "http",
    "url": "http://sortarr.nas.lan/setup?<redacted>"
}

I tried clearing all data for sortarr.nas.lan domain in my browser (including cookies)
I tried SORTARR_PROXY_HOPS=1 too
I went through the issues mentioning CSRF token problems and tried some of the things sugested there, although I do not always understand everything about what is discussed there.

What is a little frustrating is that every time I go back to the setup page I have to enter my radarr and sonarr API keys again as well as my password before saving once more, which makes trying different things a very slow process.

I have basic knowledge of nginx and I seem to understand that the DSM version of it is quite limited in terms of configuration options. However I've not had as much trouble setting up other docker services on the NAS (I run prowlarr, radarr, sonarr, jellyfin, jellystat, seerr, readarr, transmission, audiobookshelf, portainer)

I read the docs of sortarr, but the part about reverse proxies is quite technical and I don't really know what to make of it.

Could you provide some guidance please?

[bigggtuna]

Also experiencing the same issue.

[Jaredharper1]

Okay, thank you for raising this. I picked a bad time to go on vacation it seems! I've just returned. I'll get right on trying to resolve this.

As for why this is needed, I am noticing a lot of people running Sortarr with reverse proxies and exposing it to the internet. I am probably being overly secure but I am just trying not to expose API keys and other secrets.

I've clearly bungled the implementation... Extremely sorry, but it is in the aim of security. It should be possible to run earlier versions that are more stable but less secure in the meantime, and I do consider this a serious issue. I'll be working doubletime trying to resolve this.

[Jaredharper1]

0.8.6 is now released, and I believe it should fix this token-missing-cookie setup failure.

This release includes:

• a fix for setup/session cookie transport during setup POSTs
• better proxy/CSRF diagnostics
• setup form persistence after failed save/test attempts, so fields are not lost on every retry

Please retest on 0.8.6 when convenient. If it still fails, please reply with:

• how you are accessing Sortarr (http://IP:port, reverse proxy, Synology proxy, etc.)
• /api/diagnostics/csrf
• /api/diagnostics/security-self-check
• the latest CSRF request rejected ... log line

[badaz]

Thanks a lot. I'll try 0.8.6 this weekend and report back here.

[Jaredharper1]

Thank you very much! I'll leave the thread open until you get a chance to test it out, so no rush at all.