home / blog April 7th, 2020

Using Postman with Java Spring and CSRF Tokens

Java Spring CSRF Tokens VS. Postman, Who will win?

Java Spring will return a 403 Forbidden if any request besides a GET request is missing a Cross Site Request Forgery Token (CSRF Token) in the X-XSRF-TOKEN Header. Here is how to fix that issue when using Postman. I have seen people online suggest that you disable CSRF Tokens but please don't do that. That is silly. Those people are sily.

Creating an environment

We need to create an environment in which to store our CSRF Token

In the top right of Postman, click the cog.

In the Pop Up window, Click Add

Ensure your environment is selected in the drop-down in the top right.

Getting the CSRF Token

GET requests do not require a CSRF Token to be allowed through our SpringSecurityConfig

Now when you call this endpoint in Postman, your CSRF Token will be stored in your environment variables.

Using the CSRF Token

Your request should now be from from CSRF errors

Things to watch out for