codingstuff.io
ExploreTutorialsProblemsCS Subjects
Get Started
ExploreTutorialsProblemsCS Subjects
Get Started
codingstuff.io

Master the art of building software through interactive tutorials, real-world problems, and guided projects.

Pune, Maharashtra, India

codingstuffmail@gmail.com

Product

  • Explore
  • Tutorials
  • Problems
  • CS Subjects

Company

  • About
  • Contact
  • Privacy Policy
  • Terms & Conditions
  • Sitemap

© 2026 codingstuff.io. All rights reserved.

Built with ❤️ for developers everywhere

/
/
All Tutorials
🍃

Spring Boot

22 / 62 topics
19Spring Security Basics20Authentication in Spring Security21Authorization in Spring Security22CSRF Protection in Spring Security
56Security Basics in Spring Boot57CSRF Protection in Spring Boot58Data Encryption in Spring Boot59Audit Logging in Spring Boot
Tutorials/Spring Boot/CSRF Protection in Spring Security
🍃Spring Boot

CSRF Protection in Spring Security

Updated 2026-05-15
10 min read

CSRF Protection in Spring Security

Introduction

Cross-Site Request Forgery (CSRF) is a type of malicious attack where an unauthorized command is transmitted from a user that the web application trusts. This attack occurs when a legitimate user visits a malicious website, which then submits a request to another site without the user's knowledge.

Spring Security provides built-in support for CSRF protection, making it easier to secure your applications against such attacks. In this tutorial, we will explore what CSRF is, how Spring Security handles it, and how you can configure it in your Spring Boot application.

Concept

What is CSRF?

CSRF stands for Cross-Site Request Forgery. It occurs when a malicious website tricks a user into submitting a request to another site where the user is authenticated. For example, if a user is logged into their bank account and visits a malicious website, that website could submit a request to transfer money from the user's account without their knowledge.

How Does Spring Security Handle CSRF?

Spring Security automatically includes CSRF protection for state-changing requests (e.g., POST, PUT, DELETE) by default. It does this by adding a CSRF token to every form and AJAX request. The server then validates this token before processing the request.

The CSRF token is typically included in forms as a hidden field:

<form action="/submit" method="post">
    <input type="hidden" name="_csrf" value="\${_csrf.token}" />
    <!-- Other form fields -->
</form>

For AJAX requests, you can include the CSRF token in the request headers:

$.ajax({
    url: '/submit',
    type: 'POST',
    data: { /* your data */ },
    headers: {
        'X-CSRF-TOKEN': '\${_csrf.token}'
    }
});

Examples

Basic Configuration

By default, Spring Security enables CSRF protection. However, you can customize it according to your needs.

Enabling CSRF Protection

If you want to explicitly enable CSRF protection in your Spring Boot application, you can do so by configuring the HttpSecurity bean:

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf(csrf -> csrf.disable()); // Disable CSRF protection
            // Other configurations...
        return http.build();
    }
}

#### Customizing CSRF Token Repository

By default, Spring Security uses a `CookieCsrfTokenRepository` to store the CSRF token in a cookie. You can customize this behavior by using other implementations like `HttpSessionCsrfTokenRepository`.

```java
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;

@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf(csrf -> csrf
                .csrfTokenRepository(new HttpSessionCsrfTokenRepository())
            );
            // Other configurations...
        return http.build();
    }
}

### Practical Example

Let's create a simple Spring Boot application with CSRF protection enabled.

#### Step 1: Create a Spring Boot Project

You can use Spring Initializr to create a new Spring Boot project. Make sure to include the following dependencies:

- Spring Web
- Spring Security

#### Step 2: Configure Security

Create a `SecurityConfig` class to configure CSRF protection:

```java
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .formLogin(formLogin -> formLogin
                .loginPage("/login")
                .permitAll()
            );
        return http.build();
    }
}

#### Step 3: Create Controllers

Create a simple controller with a form that submits data:

```java
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

@Controller
public class HomeController {

    @GetMapping("/")
    public String home() {
        return "home";
    }

    @PostMapping("/submit")
    public String submit() {
        // Process the submitted data
        return "redirect:/";
    }
}

Step 4: Create Views

Create a simple HTML form in src/main/resources/templates/home.html:

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
&lt;head&gt;
    &lt;title&gt;Home</title>
</head>
&lt;body&gt;
    &lt;h1&gt;Welcome to the Home Page</h1>
    <form action="/submit" method="post">
        <input type="hidden" name="_csrf" th:value="\${_csrf.token}" />
        <button type="submit">Submit Data</button>
    </form>
</body>
</html>

Step 5: Run the Application

Run your Spring Boot application and navigate to http://localhost:8080. You should see a login page. After logging in, you will be redirected to the home page with a form. Submitting the form should work as expected.

What's Next?

In this tutorial, we covered CSRF protection in Spring Security, including understanding what CSRF is, how Spring Security handles it, and how to configure it in your application. In the next section, we will explore "Spring Boot Caching Basics," which will help you optimize your applications by caching frequently accessed data.

If you have any questions or need further clarification on CSRF protection or any other topic, feel free to ask!


PreviousAuthorization in Spring SecurityNext Spring Boot Caching Basics

Recommended Gear

Authorization in Spring SecuritySpring Boot Caching Basics