spring-security/docs/modules/ROOT/pages/servlet/test/mockmvc/csrf.adoc

[[test-mockmvc-csrf]]
= Testing with CSRF Protection

When testing any non-safe HTTP methods and using Spring Security's CSRF protection, you must be sure to include a valid CSRF Token in the request.
To specify a valid CSRF token as a request parameter use the CSRF xref:servlet/test/mockmvc/request-post-processors.adoc[`RequestPostProcessor`] like so:

====
.Java
[source,java,role="primary"]
----
mvc
	.perform(post("/").with(csrf()))
----

.Kotlin
[source,kotlin,role="secondary"]
----
mvc.post("/") {
    with(csrf())
}
----
====

If you like you can include CSRF token in the header instead:

====
.Java
[source,java,role="primary"]
----
mvc
	.perform(post("/").with(csrf().asHeader()))
----

.Kotlin
[source,kotlin,role="secondary"]
----
mvc.post("/") {
    with(csrf().asHeader())
}
----
====

You can also test providing an invalid CSRF token using the following:

====
.Java
[source,java,role="primary"]
----
mvc
	.perform(post("/").with(csrf().useInvalidToken()))
----

.Kotlin
[source,kotlin,role="secondary"]
----
mvc.post("/") {
    with(csrf().useInvalidToken())
}
----
====
Separate Testing Servlet Docs Issue gh-10367 2021-10-29 12:34:29 -06:00			`[[test-mockmvc-csrf]]`
			`= Testing with CSRF Protection`

			`When testing any non-safe HTTP methods and using Spring Security's CSRF protection, you must be sure to include a valid CSRF Token in the request.`
			To specify a valid CSRF token as a request parameter use the CSRF xref:servlet/test/mockmvc/request-post-processors.adoc[`RequestPostProcessor`] like so:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`mvc`
			`.perform(post("/").with(csrf()))`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`mvc.post("/") {`
			`with(csrf())`
			`}`
			`----`
			`====`

			`If you like you can include CSRF token in the header instead:`

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`mvc`
			`.perform(post("/").with(csrf().asHeader()))`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`mvc.post("/") {`
			`with(csrf().asHeader())`
			`}`
			`----`
			`====`

			`You can also test providing an invalid CSRF token using the following:`

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`mvc`
			`.perform(post("/").with(csrf().useInvalidToken()))`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`mvc.post("/") {`
			`with(csrf().useInvalidToken())`
			`}`
			`----`
			`====`