I’ve struggled with this problem as well. To debug I’ve made a special tiny project with a minimal code base to reproduce the issue.
My use case is that I want to open 1 specific api endpoint for POST request. In my debug project called “/api/open” while the default remains the secure version for everything else, in my case tested for “/api/closed”
I’ve found 2 solutions, the one mentioned by @Wesley_Connor, which fully disables csrf.
And another mentioned here:
Which disables Camunda’s csrf for just a specific endpoint.
I’ve implemented both solutions in my debug project, so you can see exactly what changes were necessary. As well as a simple test script to validate the results.
I’ve added 2 tags, 1 for each solution.
See the ReadMe for how to run it. Works best using Intellij.