Spring Security - How to Enable and Disable CSRF

Spring Security provides mechanisms to protect applications from common security threats. One of the most important protections is Cross-Site Request Forgery (CSRF) defense. By default, Spring Security enables CSRF protection, but developers often disable it for APIs without understanding when it’s safe.

What is CSRF

Cross-Site Request Forgery (CSRF) is an attack that tricks an authenticated user into unknowingly sending a malicious request to a web application.

Example:

• If you are logged into your banking application, a malicious site could trick your browser into making a POST request to transfer money without your consent.
• CSRF protection prevents this by ensuring that every state-changing request (POST, PUT, DELETE, PATCH) contains a valid CSRF token issued by the server.

Step-by-Step Implementation

Step 1: Create Your Project and Configure Apache Tomcat Server

• Create a Dynamic Web Project in Spring Tool Suite
• Configure Apache Tomcat Server

Folder Structure:

Before moving to the project, let’s have a look at the complete project structure for our Spring MVC application.

Step 2: Add Dependencies to pom.xml File

Add the following dependencies to your pom.xml file

• Spring Web MVC
• Java Servlet API
• Spring Security Config
• Spring Security Web

Below is the complete pom.xml file. Please cross-verify if you have missed some dependencies.

pom.xml:

Step 3: Configure DispatcherServlet

The DispatcherServlet handles all incoming requests in Spring MVC.

Go to the src > main > java and create a class WebAppInitilizer. Below is the code for the WebAppInitilizer.java file.

File: WebAppInitilizer.java

Step 4: Configure Spring MVC Application

Create another class in the same location (src > main > java) and name it MyAppConfig. Below is the code for the MyAppConfig.java file.

MyAppConfig.java

Step 5: Create a Spring MVC Controller

Go to the src > main > java and create a class GfgController. Below is the code for the GfgController.java file.

File: GfgController.java

Step 6: Create Your JSP View

Go to the src > main > webapp > WEB-INF > right-click > New > Folder and name the folder as views. Then views > right-click > New > JSP File and name your first view. Here we have named it as hello-gfg.jsp file. Below is the code for the hello-gfg.jsp file. We have created a simple web page inside that file.

hello-gfg.jsp

Step 7: Configure Spring Security Filter Chain

Go to the src > main > java and create a class MySecurityAppConfig and annotate the class with @EnableWebSecurity annotation. This class will help to create the spring security filter chain. Below is the code for the MySecurityAppConfig.java file.

MySecurityAppConfig.java

SecurityInitializer.java

Go to the src > main > java and create a class SecurityInitializer. This class will help to register the spring security filter chain with our application. Below is the code for the SecurityInitializer.java file.

Step 8: Enable and Disable CSRF Protection

Default Behavior: CSRF is enabled by default in Spring Security.

Disabling CSRF (for APIs or stateless apps):

Step 9: Run and Test the Application

1. Right-click the project -> Run As -> Run on Server.
2. Access your controller:

http://localhost:8080/springsecurity/gfg

You will see an authentication popup. Inspect the page source:

• With CSRF enabled: <input type="hidden" name="_csrf" value="..."> appears in forms.
• With CSRF disabled: No CSRF token appears.

👁 Image

Now right-click and go to the View page source.

👁 Image

👁 Image