Hello,

I have a confusing issue with the Splunk endpoint POST method execution. Every time I'm trying to send a GET request to my custom endpoint, everything works as expected. But when I am sending a POST request with the identical parameters and Cookies, the API returns a 401 status code and says: "Splunk cannot authenticate the request. CSRF validation failed.". I have no clue why this happens because the CSRF Token in the request is still the same token as the token in the GET request. Moreover the response of the GET request returns the identical CSRF cookie which is afterwards used again by the POST method.

Using the API over the management port on 8089 works perfectly fine with GET and POST requests. This happens just with the /splunkd/__raw webservice endpoint.

Does anyone have an idea about what is causing this error?
Thanks in advance!

Request:

POST /en-GB/splunkd/__raw/services/test_endpoint HTTP/1.1
Host: localhost:8000
Content-Length: 10
Origin: http://localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: http://localhost:8000/en-GB/splunkd/__raw/services/test_endpoint?payload=Hello
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: splunkweb_csrf_token_8000=XXX; session_id_8000=XXX; token_key=XXX; experience_id=XXX; splunkd_8000=XXX
Connection: close

Hello POST

Response:

HTTP/1.1 401 Splunk cannot authenticate the request. CSRF validation failed.
Date: Fri, 25 May 2018 07:02:13 GMT
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 181
Vary: Cookie
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Splunk cannot authenticate the request. CSRF validation failed.</msg>
  </messages>
</response>