By Surendra Jnawali

2014-11-28 05:55:05 8 Comments

I have csrf protection in spring framework. So in each request I send csrf token in header from ajax call, which is perfectly working.

<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>

var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");

In ajax

beforeSend: function(xhr) {
                xhr.setRequestHeader(header, token),
                xhr.setRequestHeader("username", "xxxx1"),
                xhr.setRequestHeader("password", "password")

I haven't any idea to generate csrf token and include in header section of Postman Rest Client ? Would you please help me to send csrf token from Postman Rest Client? enter image description here


@KPS250 2018-09-05 09:46:12

Please put X-CSRF-Token as key and FETCH as the value in the GET request header and you will receive the token in the response header

@sofs1 2018-03-13 06:46:30

If you don't want to configure environment variables etc. here is the quickest solution

@johnny 5 2016-03-10 19:23:40

The Easiest way to do this consistently so you don't have to get the token each time:

NOTE:you need to install PostMan Interceptor and activate it to have access to the browsers cookies

  1. Create a new environment so environment variables can be stored

enter image description here

  1. Create a login method with a test to store the XSRF cookie in an environment variable, in the test tab post this code

    //Replace XSFR-TOKEN with your cookie name
    var xsrfCookie = postman.getResponseCookie("XSRF-TOKEN");
    postman.setEnvironmentVariable("xsrf-token", xsrfCookie.value);

EDIT For anyone using the 5.5.2 postman or later you will also have to decode the cookie, and they have also provided alternative ways to obtain cookies as @Sacapuces points out

pm.environment.set("xsrf-token", decodeURIComponent(pm.cookies.get("XSRF-TOKEN")))

Now you will have an environment variable with xsrf-token in it.

  1. Save your login method

  2. Create the new post you want to create and in the headers add your XSRF-Token-Header Key, and the environment variable in handle bars to access it{{}}

enter image description here

  1. Now before running your new request make sure you run your login, it will store the environment variable, and then when you run the actually request it will automatically append it.

@Marcel 2016-04-03 18:18:37

works fine, thank you!

@ElMesa 2016-12-14 09:59:47

Proposed an edit to change the cookie name to: postman.getResponseCookie("XSFR-TOKEN"). That works for on a JHipster project based on SpringBoot 1.4.2.RELEASE. If that brokes other scenarios please let know in the comments or propose an edit.

@sofs1 2018-03-13 05:41:56

And to find out the postman version you are using , Click the "wrench" --> Choose "Settings" from the list --> Select "About" tab. You will see postman version.

@sofs1 2018-03-13 05:45:00

@johnny5 Could you provide screenshots for where to put var xsrfCookie = postman.getResponseCookie("XSRF-TOKEN"); and postman.setEnvironmentVariable("xsrf-token", xsrfCookie.value);. Please help.

@johnny 5 2018-03-13 12:35:32

@user I’m not at my computer right now. But in the first screenshot you can see a tab called tests. Click that tab and place the code in there

@sofs1 2018-03-15 01:03:18

Got it. But Should it be X-CSRF-TOKEN or XSRF-TOKEN? When I open the Chrome console for my webapp, I see the key name as X-CSRF-TOKEN.

@johnny 5 2018-03-15 01:07:20

It depends on what your using, if your using spring 1.4.2 or later this should work otherwise you’ll need to read the documentation

@Blue Clouds 2018-04-11 13:20:51

How is the Get and the subsequent post related? Can I get in one machine and post in another ?

@johnny 5 2018-04-11 13:26:49

@BlueClouds the login method runs and set a variable in postman. The get method appends the variable stored in postman as the xsrf toke

@Sohi 2018-09-14 20:02:40

@johnny5 where do you have to paste the code in step 2? I tried clicking on the 'Test' tab as you suggested but there is no such option. I can edit an environment and define a key value pair over there.

@Joel Neukom 2015-10-03 12:11:53

Firstly you need to install PostMan Interceptor and activate it to have access to the browsers cookies.

  1. You have to fetch the CSRF Token by making a GET Request: Header: "XSRF-TOKEN" and Value: "Fetch"

  2. You should see the Token in the cookie tab and can copy it (Notice: You can configure spring how the cookie should be named. Maybe your cookie has another name than "XSRF-TOKEN". Attention: You have the remove this blank char in the token from the newline)

  3. Now make your POST Request and set the header to: Header: "X-XSRF-TOKEN" and Value: "Your copied Token without blanks"

@DmRomantsov 2015-10-28 10:57:18

For me works variant with adding X-CSRF-TOKEN to headers. enter image description here

@IshaS 2016-04-19 10:35:54

How to get csrf token ?

@NikosKeyz 2017-09-25 11:13:02

This is not Postman, this is "Tabbed Postman - REST Client".

@tranceholic 2015-02-04 07:43:45

I am able to send REST with csrf token by following the steps below:

  1. The CSRF token generated automatically by spring security when you logged in. It will be shown at the response header.

  2. The CSRF token can be used on subsequent request by setting X-CSRF-TOKEN with CSRF token on header.

@Sumit Ramteke 2015-02-20 07:38:55

can you show any screen shot or elaborate your answer

@Ernest 2015-08-26 22:01:30

It worked for me, but a little different, I got the CSRF Token from the cookies in the cookies tab, and used it on the header of the POST request using the header name X-XSRF-TOKEN

@Blue Clouds 2018-04-11 12:51:00

what is spring ?

@Blue Clouds 2018-04-11 13:20:13

how many requests can we use this?

@DeezCashews 2018-12-27 20:18:02

I copied the X-CSRF-TOKEN from the headers sent back by Spring Security and simply added &_csrf=<token> to my post URL. Thanks for the help.

Related Questions

Sponsored Content

17 Answered Questions

10 Answered Questions

[SOLVED] Sending JWT token in the headers with Postman

  • 2014-07-12 05:26:23
  • Diode Dan
  • 143364 View
  • 121 Score
  • 10 Answer
  • Tags:   express jwt postman

6 Answered Questions

[SOLVED] How to prevent CSRF in a RESTful application?

2 Answered Questions

0 Answered Questions

1 Answered Questions

4 Answered Questions

[SOLVED] RESTful Authentication via Spring

0 Answered Questions

Invalid CSRF Token via Postman

1 Answered Questions

[SOLVED] Spring not sending CSRF token on response

Sponsored Content