Problem
The Pusher JavaScript client library makes an authentication AJAX request when subscribing to a Private or Presence channel. This AJAX request is done in the form of a POST request.
By default a POST request from JavaScript is intercepted and forbidden with a 403 response with many web frameworks such as Ruby on Rails and Laravel as it will be seen as a Cross-site Request forgery attempt.
Solution
The solution depends on the client library that you are using:
JavaScript
Parameters to be sent along with the authentication request can be set in the Pusher constructor options parameter.
var pusher = new Pusher('app_key', { auth: { params: { CSRFToken: 'some_csrf_token' } } });
An alternative is to use jsonp authentication, as this is made using a GET request so shouldn't be treated as CSRF attempt. See https://pusher.com/docs/channels/server_api/authenticating-users#jsonp_auth_endpoints
iOS/Objective-C
The documentation for setting HTTP headers for libPusher can be found here:
https://github.com/pusher/libPusher#channel-authorization
Android/Java
The documentation for setting HTTP headers for pusher-websocket-java can be found here: http://pusher.github.io/pusher-websocket-java/com/pusher/client/util/HttpAuthorizer.html#setHeaders(java.util.HashMap).