Sending CSRF Token From Postman REST Client
Last updated: January 8, 2024
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.
Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.
In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:
1. Overview
Every time we test an endpoint with CSRF protection enabled, we have to manually take the CSRF token from the cookies and set it in the X-XSRF-TOKEN request header. If we don’t send the CSRF token, we get a 403 Forbidden error.
In this tutorial, we’ll see how to automate the sending of the CSRF token to the server when using Postman.
2. Application Setup
We’ll not discuss how to enable CSRF protection in a Spring application, which we’ve already covered in a previous article.
As we know, we can find the CSRF token in the client’s cookies, and by default, CSRF protection is enforced for the POST, PUT and DELETE HTTP verbs.
Also, for testing, we’ll use one of the endpoints from the previous article, a POST request, which enables a user to transfer an amount to one account:
POST http://localhost:8080/transfer?accountNo=1234&amount=100
3. Postman
Firstly, we’ll run a test with the Postman client without considering the CSRF token. Afterward, we’ll run another test where we send the CSRF token and set up Postman to send it automatically.
3.1. Testing Without CSRF Token
Let’s open Postman and add a new request:
Now, we execute the request without sending the CSRF token, and we get the 403 Forbidden error:
Next, we’ll see how to fix that.
3.2. X-XSRF-TOKEN Header Property
In the Headers tab, let’s add a new parameter called X-XSRF-TOKEN and the value set to xsrf-token. X-XSRF-TOKEN is the header for the CSRF, and xsrf-token is an environment variable that we’ll define after:
3.3. Environment Variable xsrf-token
Now let’s go to the Environments on the left side and create a new environment called DEV:
On the right side, let’s define the environment variable we mentioned above, called xsrf-token. We’ll leave the rest of the fields empty:
Let’s go back to the request and select the DEV Environment from the top right corner so that we can use the environment property we defined:
3.4. Script
Let’s click now on the Tests tab. We’ll add the following script here:
The script retrieves the value of the XSRF-TOKEN cookie and assigns it to the environment variable xsrf-token. Now, whatever value for XSRF-TOKEN comes from the server will be transferred to the X-XSRF-TOKEN header property.
2.5. Testing
When we execute the request, we now get the 200 OK response:
3. Conclusion
In this article, we saw how to test an endpoint of an application that has CSRF protection enabled.
We used the Postman client to automate the sending of CSRF tokens every time we execute a new request on the same endpoint. That is more efficient since we don’t have to take the CSRF token manually and set it in the request header.
