Rails 6 - InvalidAuthenticityToken on Heroku

Question

I've seen no answers on SO so far that don't answer this without suggesting to just disable it (which I don't want to do).

Locally, everything works, but deployed to producton on Heroku I'm getting InvalidAuthenticityToken.

From everything I can see, everything is set up properly.

• Fresh app on Rails 6.0.3.1 (so it's not migrated where the setting may be disabled by default)
• RAILS_MASTER_KEY set in Heroku for session
• session_store.rb set to Rails.application.config.session_store :cookie_store, key: '__app_session', expire_after: 1.year
• csrf_meta_tags in my layout as well as csp_meta_tag
• ajax not used, this is a plain form_with. I can see the CSRF tag in dev tools so I know it's in the HTML

I considered it maybe is because of this in ApplicationController:

before_action :authenticate

however it seems that prepend: true is no longer set within the application controller...

I tried overriding it anyway by just adding it (even though it's not there by default and it still doesnt work if I add this above the before_action line)

protect_from_forgery with: :exception, prepend: true

Edit I'll also say the fixed Sidekiq showing forbidden when trying to issue DELETE commands as well (kill job button)

Answer 1

Try adding config.force_ssl = true in your config/environments/production.rb and make sure your SSL is configured properly like you said switching to Full SSL instead of Flexible.