Csrf is really confusing, im using an example on github to learn about it.

Link spring-security-angular-csrf-login

Thanks marcusdacoregio.

Now,i see that a csrf token is stored in a cookie and sent to angular and it store the cookie with a XSRF-TOKEN value like this one

Works fine and as you can se the cookie is sent with each request.

I created a new POST endpoint to test it. However, when I change the value of the CSRF cookie:

If i change the cookie value

my backend processes the request normally, regardless of whether the CSRF token in my cookie is altered!!!

This is the Configuration

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        // https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_angularjs_or_another_javascript_framework
        CookieCsrfTokenRepository tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
        XorCsrfTokenRequestAttributeHandler delegate = new XorCsrfTokenRequestAttributeHandler();
        // set the attribute to null to not use deferred csrf tokens, we want them to be added to every request
        // https://docs.spring.io/spring-security/reference/5.8.0/migration/servlet/exploits.html#_defer_loading_csrftoken
        delegate.setCsrfRequestAttributeName(null);
        // Use only the handle() method of XorCsrfTokenRequestAttributeHandler and the
        // default implementation of resolveCsrfTokenValue() from CsrfTokenRequestHandler
        CsrfTokenRequestHandler requestHandler = delegate::handle;

        http
                .authorizeHttpRequests((authorize) -> authorize
                        .anyRequest().authenticated()
                )
                .formLogin((login) -> login
                        .successHandler((request, response, authentication) -> response.setStatus(200)) // Just return 200 instead of redirecting to '/'
                ) // We will use form login to authenticate users from the Angular frontend, it's okay to use a Controller though
                .logout((logout) -> logout
                        .logoutSuccessHandler(new CsrfTokenAwareLogoutSuccessHandler(tokenRepository)) // Handler that generates and save a new CSRF token on logout
                )
                .cors(Customizer.withDefaults())
                .exceptionHandling((exceptions) -> exceptions
                        .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
                )
                .csrf((csrf) -> csrf
                        .csrfTokenRepository(tokenRepository)
                        .csrfTokenRequestHandler(requestHandler)
                );
        

        return http.build();
    }

Should this be happening? Shouldn’t the cookie value be validated? What steps should I take to ensure proper CSRF protection? or can someone just add a XSRF-TOKEN with the any value and can make requests ?