How do I add a custom HTTP Request Header to a Thymeleaf generated Form or Link?

Question

We are using JWT authentication in a Spring Boot application. In order to protect against CSRF attacks we want to send the token back to the server in a custom HTTP header instead of a cookie.

Is there a way to get Thymeleaf to use XMLHttpRequest for the links in generates? We do not want to troll through the templates replacing all th:href anchors with javascript onclick handlers.

Answer 1

short answer: no!

long answer: the question is invalid to be honest. Thymeleaf is just a library to generate HTML/XML. XMLHttpRequest which is also known as AJAX (*) is only used via javascript.

Furthermore it is impossible to send custom headers with form post without javascript. So you need to write some javascript to add custom headers along with your form. This custom javascript should be written by you Thymeleaf has no mechanism to automate it.

* For future comments: I know this is not precise, don't be pedantic ;)

---

you can add your token to the page like this [see meta tag]:

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
      xmlns:layout="http://www.w3.org/1999/xhtml"
      layout:decorator="Layout">
    <head>
        <title>Example</title>

        <meta name="_jwt" th:content="${yourToken}"/>
    </head>
    ...

then in all ajax request you can read those meta values and add as custom headers.

For example if you are using jQuery you can globally configure all jQuery ajax requests as follows:

$(function(){
    var _token = $('meta[name="_jwt"]').attr('content');

    $.ajaxPrefilter(function (options, originalOptions, jqXHR) {
        jqXHR.setRequestHeader("your_jwt_token_header_name", _token);
    });
});