DEV Community

Cover image for Using Postman with Java Spring and CSRF Tokens
Shane McGowan
Shane McGowan

Posted on

5

Using Postman with Java Spring and CSRF Tokens

Java Spring will return a 403 Forbidden if any request besides a GET request is missing a Cross Site Request Forgery Token (CSRF Token) in the X-XSRF-TOKEN Header. Here is how to fix that issue when using Postman. I have seen people online suggest that you disable CSRF Tokens but please don't do that. That is silly. Those people are sily.

Creating an environment

We need to create an environment in which to store our CSRF Token

  • In the top right of Postman, click the cog.
    Alt Text

  • In the Pop Up window, Click Add
    Alt Text

  • Enter an appropriate Environment Name

  • Enter xsrf-token in the first column.

  • Click Add in the bottom right corner

Alt Text

  • Ensure your environment is selected in the drop-down in the top right.

Getting the CSRF Token

GET requests do not require a CSRF Token to be allowed through our SpringSecurityConfig

  • Create a GET request
  • Navigate to the Tests tab
  • Enter pm.environment.set("xsrf-token", decodeURIComponent(pm.cookies.get("XSRF-TOKEN")));

Alt Text

Now when you call this endpoint in Postman, your CSRF Token will be stored in your environment variables.

Using the CSRF Token

  • Go to your request that requires the CSRF Token
  • Navigate to the Headers tab
  • Enter a key of X-XSRF-TOKEN and a value of {{xsrf-token}}, the {{xsrf-token}} value will be populated from our Environment we created earlier. Alt Text

Your request should now be from from CSRF errors

Things to watch out for

  • Be sure you have actually selected an Environment. I have forgotten to do this several times.
  • Be sure to call the GET request again to populate the value in case it has become invalid or has expired.
  • Have a nice day

Heroku

Deliver your unique apps, your own way.

Heroku tackles the toil — patching and upgrading, 24/7 ops and security, build systems, failovers, and more. Stay focused on building great data-driven applications.

Learn More

Top comments (3)

Collapse
 
chxei profile image
daviti

I'm not getting XSRF-TOKEN cookie from spring security. So postman variable is undefined. How can I fix this?

Collapse
 
shane profile image
Shane McGowan

If it isn't being returned by Spring then perhaps you don't actually have it enabled? Or it could be a CORS issue you need to resolve first

Collapse
 
raisibe profile image
Gina

I've disabled my csrf in securityFilterChain method but it still requires it in postman. is there a reason why?

Image of Stellar post

Check out Episode 1: How a Hackathon Project Became a Web3 Startup 🚀

Ever wondered what it takes to build a web3 startup from scratch? In the Stellar Dev Diaries series, we follow the journey of a team of developers building on the Stellar Network as they go from hackathon win to getting funded and launching on mainnet.

Read more

👋 Kindness is contagious

Engage with a wealth of insights in this thoughtful article, valued within the supportive DEV Community. Coders of every background are welcome to join in and add to our collective wisdom.

A sincere "thank you" often brightens someone’s day. Share your gratitude in the comments below!

On DEV, the act of sharing knowledge eases our journey and fortifies our community ties. Found value in this? A quick thank you to the author can make a significant impact.

Okay