This repository was archived by the owner on Dec 19, 2023. It is now read-only.
This repository was archived by the owner on Dec 19, 2023. It is now read-only.
GraphiQL starter is not compatible with Spring security #253
Closed
Description
Spring Security enables CSRF protection by default and thus requires the CSRF token header on POST requests to the /graphql endpoint. If Spring Security is loaded and CSRF protection is not disabled, the /graphiql endpoint will get a 403 error when it tries to access the /graphql endpoint.
GraphiQLController should check the _csrf attribute in the request and, if it exists, use the header name and the token it contains to add a header to the headers collection used by the fetcher function supplied to GraphiQL.