How to disable CsrfPreventionFilter?



I switchted to version 3.3.0 and now I’m struggeling with disabling the CsrfPreventionFilter. The filter causes my custom endpoints to be useless.

Is anyone else experiencing the same problem? Maybe got a other fix?



Hi @ElectroLutz,
If you are looking to disable it, simply comment it in the web.xml file.


Hey @hassang,

thank you for your response. I’m using the Spring Boot Starter which registers the filter via “CamundaBpmWebappInitializer”.

I fixed it 2 minutes ago by just registering an empty servlet filter with the name “CsrfPreventionFilter”.

Kinda hacky, but it works.

If anyone out there has a better fix: let me know.



Hi Marko,

3.3.0 has a bug that would wrongfully apply the CSRF filter to the standalone REST API endpoints. That’s why we already released 3.3.1 which should fix this.



Hey Thorben,

thank you for the quick fix! I updated my dependencies and it works like a charm.



Hi Thorben,
I have that issue on release 3.3.1. I see the filter pattern is “/api/","/app/” but my REST API usually starts with the prefix /api/v1 or maybe /api/v2 like that . I try to set configuration ‘camunda.bpm.webapp.csrf.entryPoints’ to filter out my APIs but it does not support regex. Finally I tried to create my filter by extending CsrfPreventionFilter and override the method isNonModifyingRequest. It worked but seems not a good solution.