SpringBoot - Angular 5 - CSRF

Question

Iam lost now and need some help.

I have a

And want to enable CSRF protection since it should be enabled on both by default (says the docs) :Its NOT!

On SpringBoot I need to add these security configs:

http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

On Angular I need to add these Modules:

imports: [
    ...,
    HttpClientModule,
    HttpClientXsrfModule, //(!)
...

Bottom line the server send the XRSF-TOKEN in each response.

-But a diffrent on each one. Is that correct? I expected to be the same on a client session.

-Main problem here is that Angular5 still didnt use the XRSF-TOKEN in its post calls (e.g.). It dont set a X-XSRF-TOKEN in its requests.

What am I doing wrong or missing?

Another solution can be found [here](https://stackoverflow.com/questions/46040922/angular4-httpclient-csrf-does-not-send-x-xsrf-token). — Kellie Lutze, Apr 15 '18 at 13:52

score 1 · Accepted Answer · answered Dec 18 '17 at 13:05

1

I had this same problem and I think it is a regression due to version 5 of angular.

Until this is fixed you can add your own 'X-XSRF-TOKEN' header as I did.

 constructor(private http: HttpClient, private tokenExtractor: HttpXsrfTokenExtractor) {
    }

then extract manually a token

const token = this.tokenExtractor.getToken() as string;

and add it to the header

this.http.post<any>(url, body, {headers: new HttpHeaders().set('X-XSRF-TOKEN', token)})

Houssem

answered Dec 18 '17 at 13:05

H.abidi

Thanks, that realy helps. :) No need to deactivate it anymore. – Gregor Sklorz Dec 19 '17 at 13:23
@H.abidi I am trying your code but getting null in const token . I am using Angular 6..Any other solution for same? – Shilpi Jaiswal Aug 20 '19 at 10:04

1 Answers1