Thanks, I’ll update the logging level.
In the meantime, I’ve done the following experiments:
When I use Sentry through https://my-sentry.company.com, the 403’s response is a:
{"detail":"CSRF Failed: CSRF token missing or incorrect."}
and indeed, the x-csrftoken header on the request is null.
However, when I open a tunnel to the instance and use sentry from http://localhost:9000, the x-csrftoken is not null.
EDIT:
This doesn’t happen for all requests, but it does happen for the following:
https://my-sentry.company.com/api/0/organizations/company/
Full request:
:authority: my-sentry.company.com
:method: PUT
:path: /api/0/organizations/company/
:scheme: https
accept: application/json; charset=utf-8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es;q=0.8,pt;q=0.7,de;q=0.6,de-DE;q=0.5
content-length: 15
content-type: application/json
cookie: _ga=GA1.2.1463822824.1544037105; source=facebook; utm_campaign_first=Website; utm_medium_first=social; utm_content_first=80859770; __insp_uid=2282350042; km_ai=eBElyy5NH3iSS%2FhI%2F3IGID6p%2Bxk%3D; km_lv=x; __insp_ss=1550862901576; km_ni=abcceo%40gmail.com; loadingTipActions=zoom-out; utm_campaign_last=march newsletter 2019; __cfduid=d81477e3adcbdcdf9b4f450adf694236b1573029302; experimentation_subject_id=ImU3MzczNjU3LTY3MTktNDhmNS1iZDdkLTY0ZjMwMDhiYTQxNiI%3D--8b8efd80ec32787a354889b3e93f4117c4bd755d; __hssrc=1; current_source=facebook; utm_medium_last=social; utm_content_last=116326368; ei_client_id=5e43b83e1acc3f0012fe1d7e; kvcd=1581496382836; __insp_wid=229749723; __insp_nv=false; __insp_targlpu=aHR0cHM6Ly9mZWVkemFpLmNvbS9ibG9nL3RoZS1yaXNreS1idXNpbmVzcy1vZi1idWlsZGluZy15b3VyLW93bi1tYWNoaW5lLWxlYXJuaW5nLXBsYXRmb3JtLz91dG1fY29udGVudD0xMTYzMjYzNjgmdXRtX21lZGl1bT1zb2NpYWwmdXRtX3NvdXJjZT1mYWNlYm9vayZoc3NfY2hhbm5lbD1mYnAtMTg1MzY4MzM4MTYzMjMz; __insp_targlpt=VGhlIFJpc2t5IEJ1c2luZXNzIG9mIEJ1aWxkaW5nIFlvdXIgT3duIE1hY2hpbmUgTGVhcm5pbmcgUGxhdGZvcm0gLSBGZWVkemFp; __insp_pad=1; __insp_sid=2420705137; __insp_slim=1581496401646; lt-session-data="0.ce27149f1705439a341"; lt-pageview-id="0.30d397551705439a343"; sc=mxr2ngDrHUNZhqVsr9bq90gz5dgCEzzOtdasYNj5WbrfvHXQlHh3iaxHuHNXdYqD; sudo="MeJ8Og482V1W:1j47Cm:2djrY5Mw_es2W4-5Cp2J0Yw-WGE"; sentrysid=".eJxNjj9PwzAUxNO6tKICIfERmDJFcf64zggSC1JhMs0WOfFLYyXUOLYpIFXio2NQhm7v_e50dz_zk56F7LriznaVMzBWUpSzIAgwu-SNlR-gxn258qAFEN9csoVxQpVXnmzhib7sM5q84l259sCCsY1SvYRy6d-jGnsQ7PYsvOZNDwfB7gwc7PgVOSsHE_3p0eMbl8O9vx4mDzJGTVNuziI6bjoWCpylJCtaTIEUNW6BA20EB1LTguR8k8QYeCpyhirjTnoeMmRVr9H_cLNVuKC7zsbPR71gSIpBX7A1zmkS5_GGFAw5KfRyakfw-a5Xk05S3-tc9AuA_lz1:1j47Cr:Kxovf20JkN6Jm5CLXqYdKUSyi-Y"; su="sMo198Wht0Nw:1j47Cr:qdEo67QxNM_QQHbtlewB2xBYpps"
origin: https://my-sentry.company.com
referer: https://my-sentry.company.com/settings/company/
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
x-csrftoken: null
x-requested-with: XMLHttpRequest