Java Spring will return a 403 Forbidden
if any request besides a GET
request is missing a Cross Site Request Forgery Token (CSRF Token) in the X-XSRF-TOKEN
Header. Here is how to fix that issue when using Postman. I have seen people online suggest that you disable CSRF Tokens but please don't do that. That is silly. Those people are sily.
Creating an environment
We need to create an environment in which to store our CSRF Token
Enter an appropriate
Environment Name
Enter
xsrf-token
in the first column.Click
Add
in the bottom right corner
- Ensure your environment is selected in the drop-down in the top right.
Getting the CSRF Token
GET
requests do not require a CSRF Token to be allowed through our SpringSecurityConfig
- Create a
GET
request - Navigate to the
Tests
tab - Enter
pm.environment.set("xsrf-token", decodeURIComponent(pm.cookies.get("XSRF-TOKEN")));
Now when you call this endpoint in Postman, your CSRF Token will be stored in your environment variables.
Using the CSRF Token
- Go to your request that requires the CSRF Token
- Navigate to the
Headers
tab - Enter a key of
X-XSRF-TOKEN
and a value of{{xsrf-token}}
, the{{xsrf-token}}
value will be populated from our Environment we created earlier.
Your request should now be from from CSRF errors
Things to watch out for
- Be sure you have actually selected an Environment. I have forgotten to do this several times.
- Be sure to call the
GET
request again to populate the value in case it has become invalid or has expired. - Have a nice day
Top comments (3)
I'm not getting XSRF-TOKEN cookie from spring security. So postman variable is undefined. How can I fix this?
If it isn't being returned by Spring then perhaps you don't actually have it enabled? Or it could be a CORS issue you need to resolve first
I've disabled my csrf in securityFilterChain method but it still requires it in postman. is there a reason why?