HTTP Post does not work on AppServer

I run the Anvil App Server (GitHub - anvil-works/anvil-runtime: The runtime engine for hosting Anvil web apps) in a docker container. The website the App Server serves works fine, but I have an HTTP endpoint that I get a “Invalid anti-forgery token” when I try to POST a JSON to it.

My server code end-point looks like this:

@anvil.server.http_endpoint("/test-collector", methods="POST", cross_site_session=True)
def test_collector():
  event = anvil.server.request.body_json

  if 'display_name' in event:
    matching =['display_name'])
  for script in matching:
  return "OK"

The endpoint works fine when using the Anvil online editor and service; i.e. I can POST from my machine using POSTMAN. But when deployed inside a Docker container it does not.

I build my image with this Dockerfile:

FROM python:3

RUN apt-get -yyy update
RUN apt-get install -y apt-utils
RUN apt-get -yyy update && apt-get -yyy install software-properties-common && \
    wget -O- | apt-key add - && \
    add-apt-repository 'deb stable main'

RUN wget && \
    (dpkg -i google-chrome-stable_current_amd64.deb || apt install -y --fix-broken) && \
    rm google-chrome-stable_current_amd64.deb

RUN apt-get -yyy update && apt-get -yyy install java-1.8.0-amazon-corretto-jdk ghostscript
RUN apt-get update --fix-missing

RUN /usr/local/bin/python -m pip install --upgrade pip
RUN pip install anvil-app-server
RUN anvil-app-server || true

VOLUME /apps


RUN mkdir /anvil-data

RUN useradd anvil
RUN chown -R anvil:anvil /anvil-data
USER anvil

ENTRYPOINT ["anvil-app-server", "--data-dir", "/anvil-data"]

My Docker RUN command:

sudo docker run -d --rm -p 3030:3030 --name rtt-anvil_web anvil_rtt:1.0 --app RTT --uplink-key 'adadwqdwqwqdqwdthgtrh'

Any ideas appreciated!


I can confirm this appears to be an issue only in the self hosted Anvil App Server with POST requests, this issue dose not happen when the app is hosted by Anvil Works. I assume this is something to do with cross site scripting protection, perhaps a difference in the reverse proxy setup between the App Server and how Anvil Works hosts the apps.

In my setup I have ruled out Cloudflare SSL and Nginx as being the cause by removing them from the setup and going back to the bundled Traefik proxy and automatic lets encrypt certificates.

To recreate this issue: create a new app with a single API endpoint, when the app is run in the self hosted Anvil App Server you will get the “Invalid anti-forgery token” error when POST requests is sent to the API. Nothing appears in the Anvil App server console.
If you run the app via Anvil Works the endpoint will respond normally.
enable_cors=True, cross_site_session=True set on the API endpoint has no affect.

Any help or further testing I could do would be appreciated, thanks! :slight_smile:


Hello, I have the same problem. Was it possible to find a solution?


Unfortunately, I did not find a proper solution. I ended up with a workaround based on an Nginx as a reverse proxy and a python flask app (both in dockers). A flask endpoint accepts the POST request and connects to the main Anvil app with uplink. Of course, this is not ideal, but I needed a quick fix (shipping is also a feature).

I still think it is worth it considering how easy it is to build a website with a db connection on the Anvil platform.

All the best


Thanks for sharing the work around, very true - the Anvil platform is great.

I sent this to Anvil Support on the 10th March as I did get help previously with other issues, but not heard anything yet (I do not have a paid support plan so do not expect to)

This is now fixed, in App Server v1.7.0 :slight_smile:


Hi Meredydd,

many thanks for the update! Now I have had time to test this and I can confirm that it works! This is awesome :grin: . Keep up the good work!

Many thanks

1 Like