<!-- <csrf disabled="true"/> closes csrf protection, spring recommends that all requests should use csrf protection, the default is open --> <!-- <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> --> <!-- csrf cannot automatically submit _csrf parameters for ajax requests, usually submit tags in http headers. <head> <meta name="_csrf" content="${_csrf.token}"/> <meta name="_csrf_header" content="${_csrf.headerName}"/> </head> jQuery submission code: $(function () { var token = $("meta[name='_csrf']").attr("content"); var header = $("meta[name='_csrf_header']").attr("content"); $(document).ajaxSend(function(e, xhr, options) { xhr.setRequestHeader(header, token); }); }); --> <!-- csrf settings for file upload multipart: <form action="servlet/fileUpload?${_csrf.parameterName}=${_csrf.token}" method="post" enctype="multipart/form-data"> -->