CSRF Tokens

Many sites use CSRF tokens to prevent cross-site request forgery. In this case you need to extract those tokens and send them along with subsequent requests.

For further information on content extraction take a look at our reference.

Extract CSRF Token

In your test case definition you can use StormForgers ability to extract the token from a response body like:

  "authorization": {
    "csrfToken": "noXuMgKei5pPP4wdv5Kq"

with the following option:

session.get("/users/register", {
  tag: "fetch_token",
  extraction: {
    jsonpath: {
      "csrfToken": "authorization.csrfToken"

You can then use the csrfToken as a dynamic data source within the same session:

session.post("/users/register", {
  tag: "registration",
  payload: {
    token: session.getVar("csrfToken"),
    username: "Foo",
    password: "bar"
Icon Support Are you stuck? Or do you have any feedback? Get in touch with us – we are happy to help you.
Icon Schedule a demo Schedule a personal, customized demo. We'll show you around and introduce you to StormForger.
Icon Talk to a human To build and run reliable applications is complex – we know. Schedule a call and we’ll figure things out.