I know this is not a direct answer, but people (as me) usually don’t specify spring’s version when searching for this kinds of questions.
So, since spring security a method exists that lets ignore some routes:
The following will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that starts with “/sockjs/”
http
.csrf()
.ignoringAntMatchers("/sockjs/**")
.and()
...