How to fix Invalid CSRF token error on Kite marketwatch

The Invalid CSRF token error on Kite is a security check failure: the browser-side token Kite uses to verify the request matches the server-side session has rotated, become stale, or been cleared. Almost always a benign re-login fixes it.

Conflict-of-interest disclosure. This guide is published by WebNotes Editorial Team for informational purposes. WebNotes has no commercial relationship with Zerodha.

Step-by-step procedure

Six steps per the procedure infobox. The notes below cover the typical cause patterns and why they happen.

What CSRF means

CSRF (Cross-Site Request Forgery) is a class of web attack where a malicious third-party site causes the user’s browser to submit unintended requests to a legitimate site. To prevent this, sites issue a random token at session start, store it in a cookie, and require every change-request (add scrip, place order, modify watchlist) to include the same token.

If the token doesn’t match, the request is rejected with “Invalid CSRF token”.

Common cause patterns

Multiple tabs is the surprise

The most common cause for active traders is having Kite open in multiple tabs simultaneously. When one tab refreshes the CSRF token (during normal session keep-alive), the older tab still has the previous token. The first action from the older tab triggers the error.

The cleanest workaround: keep Kite in a single tab. Use the Kite Connect API for programmatic access if you need multiple simultaneous interactions.

Browser privacy settings

Strict privacy modes can drop the cookie:

• Firefox > Settings > Privacy & Security > Strict. May block third-party cookies; Kite is first-party so usually fine, but corner cases exist.
• Safari > Settings > Privacy > Prevent cross-site tracking. Aggressive cookie expiry can prematurely drop the session.
• Brave > Shields > Aggressive blocking. Drops more cookies; lower the level for kite.zerodha.com.

The clean fix

For 95% of cases:

1. Log out via profile menu.
2. Clear Kite cookies via browser settings (or use Ctrl+Shift+Del with site filter).
3. Log back in.
4. Add the scrip / make the change.

If the error recurs immediately, an extension or browser privacy setting is likely responsible.

When it is not a token issue

Rare cases where the CSRF error message appears but the underlying cause is different:

• API rate limit. Repeated rapid requests can be rate-limited; Kite may show CSRF in some builds.
• Server-side issue. During a Kite deployment or incident, you may see CSRF errors briefly. Wait 1-2 minutes.
• Account-level issue. If repeated re-logins still produce CSRF errors, contact Zerodha support.

See also

• How to use the marketwatch on Kite
• How to add scrips to the Kite marketwatch
• How to fix LTP zero on marketwatch
• How to fix Day’s change incorrect vs previous close
• How to fix B/S shortcuts not opening order window
• How to fix texts and numbers overlapping on marketwatch
• How to fix Pinned overview resets to Nifty
• How to update the Kite app for new marketwatch features
• How to save marketwatch settings
• How to create multiple marketwatch in Kite
• How to rename a watchlist on the Kite app
• How to pin a stock or index to the top of the marketwatch
• Kite Connect (Zerodha API)
• Kite (Zerodha)
• Kite web
• Kite mobile app
• Zerodha
• Zerodha Console
• Redesigned marketwatch on Kite web
• Market depth view on Kite
• Day’s change in absolute and percentage
• TOTP for Zerodha login
• Account security for Indian brokers
• Briefcase symbol on Kite
• Event tag on the Kite marketwatch

External references

• Zerodha Kite Support
• Kite web
• OWASP CSRF prevention

References

1. Zerodha Support, Invalid CSRF token error, support.zerodha.com.
2. OWASP, Cross-Site Request Forgery prevention, cheatsheetseries.owasp.org.
3. Zerodha Support, Session and security on Kite, support.zerodha.com.