Skip to content

Modular HttpSecurityDSL kotlin config cannot disable CSRF protection #18365

New issue
New issue
Open
Open
Modular HttpSecurityDSL kotlin config cannot disable CSRF protection#18365
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@XhstormR

Description

@XhstormR
XhstormR
opened on Dec 27, 2025

Describe the bug

I tried disabling CSRF through Kotlin's modular HttpSecurityDSL configuration, but it didn't work.

To Reproduce

Sending a simple POST request returned a "Forbidden" error.

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
class WebSecurityConfig {

    @Bean
    fun springSecurity(http: HttpSecurity): SecurityFilterChain {
        http.csrf { it.spa() }
        http {
            csrf {
                ignoringRequestMatchers("/login/**", "/captcha")
            }
            authorizeHttpRequests {
                authorize(anyRequest, authenticated)
            }
        }
        return http.build()
    }

    // @Profile("dev")
    @Bean
    fun disableCSRF(): HttpSecurityDsl.() -> Unit = {
        csrf {
            disable()
        }
    }
}

Expected behavior
With CSRF protection disabled, sending a POST request returned a 200 Successful Request response.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions