Fix 403 Forbidden: CSRF cookie subdomain sharing + explicit path for hybrid JWT architecture#43
Merged
vitorhugo-java merged 3 commits intomasterfrom Mar 13, 2026
Merged
Conversation
…operties Co-authored-by: vitorhugo-java <65777252+vitorhugo-java@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix 403 Forbidden error due to missing X-XSRF-TOKEN header
Fix 403 Forbidden: CSRF cookie subdomain sharing + explicit path for hybrid JWT architecture
Mar 13, 2026
Qodana for JVM43 new problems were found
View the detailed Qodana reportTo be able to view the detailed Qodana report, you can either:
To get - name: 'Qodana Scan'
uses: JetBrains/qodana-action@v2025.3.1
with:
upload-result: trueContact Qodana teamContact us at qodana-support@jetbrains.com
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses browser 403s caused by CSRF double-submit cookie scope issues in a hybrid JWT + cookie architecture, by making CSRF cookie scoping configurable and ensuring the cookie is valid across subdomains.
Changes:
- Add CSRF cookie configuration properties for Domain and SameSite in
application.properties. - Force the CSRF cookie Path to
/inSecurityConfigto avoid context-path-dependent scoping. - Remove an unused CORS-related import.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| src/main/resources/application.properties | Introduces CSRF cookie Domain/SameSite configuration knobs via properties/env placeholders. |
| src/main/java/com/espacogeek/geek/config/SecurityConfig.java | Forces CSRF cookie path to / and keeps CSRF cookie Domain/SameSite configurable; removes unused import. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+46
to
+48
| security.csrf.cookie-domain=${SECURITY_CSRF_COOKIE_DOMAIN:} | ||
| # CSRF cookie SameSite attribute (e.g., None for cross-site, Lax for same-site). | ||
| security.csrf.cookie-same-site=${SECURITY_CSRF_COOKIE_SAME_SITE:} |
| # is accessible to both api.espacogeek.com (backend) and espacogeek.com (frontend). | ||
| # Leave blank for local development. | ||
| security.csrf.cookie-domain=${SECURITY_CSRF_COOKIE_DOMAIN:} | ||
| # CSRF cookie SameSite attribute (e.g., None for cross-site, Lax for same-site). |
Comment on lines
81
to
85
| var csrfRepo = CookieCsrfTokenRepository.withHttpOnlyFalse(); | ||
| csrfRepo.setCookiePath("/"); | ||
| if (!csrfCookieDomain.isBlank()) { | ||
| csrfRepo.setCookieDomain(csrfCookieDomain); | ||
| } |
| # Leave blank for local development. | ||
| security.csrf.cookie-domain=${SECURITY_CSRF_COOKIE_DOMAIN:} | ||
| # CSRF cookie SameSite attribute (e.g., None for cross-site, Lax for same-site). | ||
| security.csrf.cookie-same-site=${SECURITY_CSRF_COOKIE_SAME_SITE:} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
XSRF-TOKENcookie set byapi.espacogeek.comwas not readable byespacogeek.comdue to Same-Origin Policy, causing browsers to fail the CSRF double-submit check and receive 403s. The fix exposes the two missing configuration knobs and sets the CSRF cookie path explicitly.Changes
SecurityConfig.javacsrfRepo.setCookiePath("/")— without this, the path defaults to servlet context path which may not be/in all deployment scenariosUrlBasedCorsConfigurationSourceimportapplication.propertiessecurity.csrf.cookie-domain=${CSRF_COOKIE_DOMAIN:}— set to.espacogeek.comin production so theXSRF-TOKENcookie is shared across subdomains:security.csrf.cookie-same-site=${CSRF_COOKIE_SAME_SITE:}— allows tuning the SameSite attribute when deploying across origins (e.g.Nonefor cross-site)Architecture already in place (unchanged)
ignoringRequestMatcherswhenAuthorization: Beareris present (mobile/Flutter/Postman)CsrfTokenRequestAttributeHandler(plain, non-XOR) for SPA double-submit-cookie compatibilityJwtAuthenticationFilterreads JWT fromAuthorizationheader first, falls back toEG_AUTHHttpOnly cookie✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.