What We Fixed
Email unsubscribe links were returning 422 errors for some users when clicked from email clients. This was caused by CSRF token validation failures that occur when:
- Email security scanners (Microsoft Safe Links, Barracuda, Proofpoint, Google Safe Browsing) prefetch the unsubscribe page before the user clicks it, creating a mismatched session
- Browser cookie restrictions — incognito mode, privacy extensions, or strict SameSite cookie policies block the session cookie between the page load and form submission
- Apple Mail Privacy Protection — automatically prefetches links in emails
The unsubscribe endpoints now skip CSRF verification since they’re public routes authenticated by the URL token itself, not by user session.
This fix applies to:
- Newsletter unsubscribe links (
/u/:token) - Transactional email unsubscribe links (
/tu/:token) - Legacy unsubscribe links (
/unsubscribe/:token)
Thank you to everyone who reported this issue!