How to disable CsrfPreventionFilter?



I switchted to version 3.3.0 and now I’m struggeling with disabling the CsrfPreventionFilter. The filter causes my custom endpoints to be useless.

Is anyone else experiencing the same problem? Maybe got a other fix?



Hi @ElectroLutz,
If you are looking to disable it, simply comment it in the web.xml file.


Hey @hassang,

thank you for your response. I’m using the Spring Boot Starter which registers the filter via “CamundaBpmWebappInitializer”.

I fixed it 2 minutes ago by just registering an empty servlet filter with the name “CsrfPreventionFilter”.

Kinda hacky, but it works.

If anyone out there has a better fix: let me know.



Hi Marko,

3.3.0 has a bug that would wrongfully apply the CSRF filter to the standalone REST API endpoints. That’s why we already released 3.3.1 which should fix this.



Hey Thorben,

thank you for the quick fix! I updated my dependencies and it works like a charm.



Hi Thorben,
I have that issue on release 3.3.1. I see the filter pattern is “/api/","/app/” but my REST API usually starts with the prefix /api/v1 or maybe /api/v2 like that . I try to set configuration ‘camunda.bpm.webapp.csrf.entryPoints’ to filter out my APIs but it does not support regex. Finally I tried to create my filter by extending CsrfPreventionFilter and override the method isNonModifyingRequest. It worked but seems not a good solution.


I get the same behavior like Stevechen. Also using 3.3.1 and my API starts with /api/v1.
@Stevechen: Could you provide the source of your class?


Sorry, after several tests, it did not work well by override the class. My project uses nginx so the final solution is adding the prefix /api/v1 to nginx configuration and remove that prefix from spring boot. Maybe Camunda will fix such issue in later version.


This worked for me

import org.springframework.boot.web.servlet.ServletContextInitializer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
public class CsrfAutoConfiguration {
    private static final String CSRF_PREVENTION_FILTER = "CsrfPreventionFilter";
     * Overwrite csrf filter from Camunda configured here
     * org.camunda.bpm.spring.boot.starter.webapp.CamundaBpmWebappInitializer
     * org.camunda.bpm.spring.boot.starter.webapp.filter.SpringBootCsrfPreventionFilter
     * Is configured with basically a 'no-op' filter
    public ServletContextInitializer csrfOverwrite() {
        return servletContext -> servletContext.addFilter(CSRF_PREVENTION_FILTER, (request, response, chain) -> chain.doFilter(request, response));


I had the same issue and this fixed it.
Thank you @Wesley_Connor