Lambda URL CloudFront CRSF Errors

Important: Jets creates a CloudFront distribution that is capable of sending the host to the origin. So you should not get this error. See: CloudFront Host. You might only get this error if you have disabled the CloudFront Function or overriden the default.

CRSF Error

If you’re seeing an error like this:

> Started PATCH "/posts/11908" for 2002:42ea:d0d2:0:d58f:3db0:3686:27cc at 2024-03-30 17:51:11 +0000
Processing by PostsController#update as TURBO_STREAM
Parameters: {"authenticity_token"=>"[FILTERED]", "post"=>{"title"=>"Test post 1 Edit 1", "body"=>"", "published"=>"0"}, "commit"=>"Update Post", "id"=>"11908"}
HTTP Origin header ( didn't match request.base_url (
Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 180)
ActionController::InvalidAuthenticityToken (HTTP Origin header ( didn't match request.base_url (
actionpack ( lib/action_controller/metal/request_forgery_protection.rb:293:in `handle_unverified_request'
actionpack ( lib/action_controller/metal/request_forgery_protection.rb:388:in `handle_unverified_request'
actionpack ( lib/action_controller/metal/request_forgery_protection.rb:377:in `verify_authenticity_token'


This is a Rails CRSF error. This particularly can happen when you’re using CloudFront with Lambda. CloudFront proxies the request: =>

For security reasons, CloudFront proxies the request so the Host Header is the Origin Host itself, not the CloudFront user-facing URL.

  • So the Rails Origin still sees the Function URL in the Host Header.
  • However, the web request comes from the CloudFront user-facing url
  • Hence, you get the dreaded ActionController::InvalidAuthenticityToken error


Jets allows you to override to the Host sent to the Rails Lambda Function. This can be done with JETS_SHIM_HOST. When you configure cloudfront, Jets will automatically use the first CloudFront aliases as the JETS_SHIM_HOST. If you do not have aliases, Jets uses the conventional aliases it creates. IE:

In general, you should not have to set JETS_SHIM_HOST though, since Jets sends the host to the origin.