As designed JSON Requests

Rigel Kentaurus

Well-known member
Not really a bug, it is asking for the _xfToken

That is intended to prevent cross-domain forgery, that way I cannot just setup a page to do a "post" request to while you are browsing my site which will indirectly (and without your knowledge) trigger an action

That check is not done for guests, because they don't need it

Daniel Hood

Well-known member
I understand why it says security error, I guess I just don't understand why it outputs all the data for guests though. I realize it doesn't hurt anything, just find it odd.