Skip to content
An AngularJS interceptor that sets the Spring Security CSRF token information in all HTTP requests if it's able to find it in a response header on application startup.
Branch: master
Clone or download
aditzel Merge pull request #7 from karthilxg/master
Added feature to customize the csrf token interceptor behavior.
Latest commit aa33d7a Apr 30, 2015


An AngularJS interceptor that will include the CSRF token header in HTTP requests.

It does this by doing an AJAX HTTP HEAD call to / by default, and then retrieves the HTTP header 'X-CSRF-TOKEN' and sets this same token on all HTTP requests.

spring-security-csrf-token-interceptor also supports configuring the CSRF header name, number of retries allowed in-case of Forbidden errors, restrict adding the CSRF tokens to some HTTP types etc.

#Installing ###Via Bower

$ bower install spring-security-csrf-token-interceptor

###Via NPM

$ npm install spring-security-csrf-token-interceptor

#Usage Include this as a dependency on your application:

angular.module('myApp', ['spring-security-csrf-token-interceptor']);

Use the configProvider to customize the interceptor behavior. Check Configuration section for more details.


#Configuration The following options are available for configuring the interceptor,

Note: All these below configurations are optional.
  • options (Object) - Options to customize the CSRF interceptor behavior.

  • options.url (String) - The URL to which the initial CSRF request has to be made to get the CSRF token. Default: \.

  • options.csrfHttpType (String) - The HTTP method type which should be used while requesting the CSRF token call. Default: head.

  • options.maxRetries (Number) - The number of retries allowed for CSRF token call in-case of 403 Forbidden response errors. Default: 5.

  • options.csrfTokenHeader (Array) - Set this option to add the CSRF headers only to some HTTP requests. Default: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE'].

  • options.csrfTokenHeader (String) - Customize the name of the CSRF header on the requests. Default: X-CSRF-TOKEN.


        .module('myApp', [
        .config(function(csrfProvider) {
            // optional configurations
                url: '/login',
                maxRetries: 3,
                csrfHttpType: 'get',
                csrfTokenHeader: 'X-CSRF-XXX-TOKEN',
                httpTypes: ['PUT', 'POST', 'DELETE'] //CSRF token will be added only to these method types 
        }).run(function() {
You can’t perform that action at this time.