Sending CSRF Token From Postman REST Client

DbSchema is a super-flexible database designer, which can take you from designing the DB with your team all the way to safely deploying the schema.

The way it does all of that is by using a design model, a database-independent image of the schema, which can be shared in a team using GIT and compared or deployed on to any database.

And, of course, it can be heavily visual, allowing you to interact with the database using diagrams, visually compose queries, explore the data, generate random data, import data or build HTML5 database reports.

>> Take a look at DBSchema

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

The Jet Profiler was built for MySQL only, so it can do things like real-time query performance, focus on most used tables or most frequent queries, quickly identify performance issues and basically help you optimize your queries.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

Repeatedly, code that works in dev breaks down in production. Java performance issues are difficult to track down or predict.

Simply put, Digma provides immediate code feedback. As an IDE plugin, it identifies issues with your code as it is currently running in test and prod.

The feedback is available from the minute you are writing it.

Imagine being alerted to any regression or code smell as you're running and debugging locally. Also, identifying weak spots that need attending to, based on integration testing results.

>> Enable code feedback in your IDE.

Of course, Digma is free for developers.

We rely on other people’s code in our own work. Every day.

It might be the language you’re writing in, the framework you’re building on, or some esoteric piece of software that does one thing so well you never found the need to implement it yourself.

The problem is, of course, when things fall apart in production - debugging the implementation of a 3rd party library you have no intimate knowledge of is, to say the least, tricky.

Lightrun is a new kind of debugger.

It's one geared specifically towards real-life production environments. Using Lightrun, you can drill down into running applications, including 3rd party dependencies, with real-time logs, snapshots, and metrics.

Learn more in this quick, 5-minute Lightrun tutorial:

>> The Essential List of Spring Boot Annotations and Their Use Cases

1. Overview

Every time we test an endpoint with CSRF protection enabled, we have to manually take the CSRF token from the cookies and set it in the X-XSRF-TOKEN request header. If we don’t send the CSRF token, we get a 403 Forbidden error.

In this tutorial, we’ll see how to automate the sending of the CSRF token to the server when using Postman.

2. Application Setup

We’ll not discuss how to enable CSRF protection in a Spring application, which we’ve already covered in a previous article.

As we know, we can find the CSRF token in the client’s cookies, and by default, CSRF protection is enforced for the POST, PUT and DELETE HTTP verbs.

Also, for testing, we’ll use one of the endpoints from the previous article, a POST request, which enables a user to transfer an amount to one account:

POST http://localhost:8080/transfer?accountNo=1234&amount=100

3. Postman

Firstly, we’ll run a test with the Postman client without considering the CSRF token. Afterward, we’ll run another test where we send the CSRF token and set up Postman to send it automatically.

3.1. Testing Without CSRF Token

Let’s open Postman and add a new request:

Now, we execute the request without sending the CSRF token, and we get the 403 Forbidden error:

Next, we’ll see how to fix that.

3.2. X-XSRF-TOKEN Header Property

In the Headers tab, let’s add a new parameter called X-XSRF-TOKEN and the value set to xsrf-token. X-XSRF-TOKEN is the header for the CSRF, and xsrf-token is an environment variable that we’ll define after:

3.3. Environment Variable xsrf-token

Now let’s go to the Environments on the left side and create a new environment called DEV:

On the right side, let’s define the environment variable we mentioned above, called xsrf-token. We’ll leave the rest of the fields empty:

Let’s go back to the request and select the DEV Environment from the top right corner so that we can use the environment property we defined:

3.4. Script

Let’s click now on the Tests tab. We’ll add the following script here:

The script retrieves the value of the XSRF-TOKEN cookie and assigns it to the environment variable xsrf-token. Now, whatever value for XSRF-TOKEN comes from the server will be transferred to the X-XSRF-TOKEN header property.

2.5. Testing

When we execute the request, we now get the 200 OK response:

3. Conclusion

In this article, we saw how to test an endpoint of an application that has CSRF protection enabled.

We used the Postman client to automate the sending of CSRF tokens every time we execute a new request on the same endpoint. That is more efficient since we don’t have to take the CSRF token manually and set it in the request header.

Sending CSRF Token From Postman REST Client

**Get started with Spring 5 and Spring Boot 2, through the Learn Spring course:**

1. Overview

2. Application Setup