I know this is not a direct answer, but people (as me) usually don’t specify spring’s version when searching for this kinds of questions.
So, since spring security a method exists that lets ignore some routes:
The following will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that starts with “/sockjs/”
http .csrf() .ignoringAntMatchers("/sockjs/**") .and() ...