diff --git a/gradle.properties b/gradle.properties
index 5c61e6b1..d96762b2 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -44,5 +44,3 @@ PLUGIN_JACOCO_VER=0.8.7
 PLUGIN_SONARQUBE_VER=3.2.0
 PLUGIN_NEXUS_STAGING_VER=0.30.0
 PLUGIN_GOOGLE_JAVA_FORMAT_VER=0.9
-###
-org.gradle.daemon=true
diff --git a/graphql-spring-boot-autoconfigure/build.gradle b/graphql-spring-boot-autoconfigure/build.gradle
index 0fdf2462..ec14f63c 100644
--- a/graphql-spring-boot-autoconfigure/build.gradle
+++ b/graphql-spring-boot-autoconfigure/build.gradle
@@ -54,7 +54,7 @@ dependencies {
     testImplementation "org.springframework.boot:spring-boot-starter-web"
     testImplementation "org.springframework.boot:spring-boot-starter-actuator"
     testImplementation "org.springframework.boot:spring-boot-starter-webflux"
-//    testImplementation "org.springframework.boot:spring-boot-starter-security"
+    testImplementation "org.springframework.boot:spring-boot-starter-security"
     testImplementation "org.springframework.security:spring-security-test"
     testImplementation "io.projectreactor:reactor-core"
     testImplementation "io.reactivex.rxjava2:rxjava"
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/EditorConstants.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/EditorConstants.java
new file mode 100644
index 00000000..6ccef776
--- /dev/null
+++ b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/EditorConstants.java
@@ -0,0 +1,10 @@
+package graphql.kickstart.autoconfigure.editor;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class EditorConstants {
+
+  public static final String CSRF_ATTRIBUTE_NAME = "_csrf";
+}
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairAutoConfiguration.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairAutoConfiguration.java
index fe0c5b4c..d01f8acd 100644
--- a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairAutoConfiguration.java
+++ b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairAutoConfiguration.java
@@ -17,7 +17,10 @@ public class AltairAutoConfiguration {
 
   @Bean
   @ConditionalOnProperty(value = "graphql.altair.enabled", havingValue = "true")
-  AltairController altairController() {
-    return new AltairController();
+  AltairController altairController(
+      AltairProperties altairProperties,
+      AltairOptions altairOptions,
+      AltairResources altairResources) {
+    return new AltairController(altairProperties, altairOptions, altairResources);
   }
 }
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairController.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairController.java
index dfcbf92e..af73eea8 100644
--- a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairController.java
+++ b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairController.java
@@ -13,12 +13,12 @@
 import java.util.Map;
 import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringSubstitutor;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.StreamUtils;
@@ -27,14 +27,15 @@
 /** @author Moncef AOUDIA */
 @Slf4j
 @Controller
+@RequiredArgsConstructor
 public class AltairController {
 
   private static final String CDN_JSDELIVR_NET_NPM = "//cdn.jsdelivr.net/npm/";
   private static final String ALTAIR = "altair-static";
   private final ObjectMapper objectMapper = new ObjectMapper();
-  @Autowired private AltairProperties altairProperties;
-  @Autowired private AltairOptions altairOptions;
-  @Autowired private AltairResources altairResources;
+  private final AltairProperties altairProperties;
+  private final AltairOptions altairOptions;
+  private final AltairResources altairResources;
 
   private String template;
 
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/ReactiveVoyagerController.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/ReactiveVoyagerController.java
index 318ea7e6..a1fb8a36 100644
--- a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/ReactiveVoyagerController.java
+++ b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/ReactiveVoyagerController.java
@@ -1,5 +1,7 @@
 package graphql.kickstart.autoconfigure.editor.voyager;
 
+import static graphql.kickstart.autoconfigure.editor.EditorConstants.CSRF_ATTRIBUTE_NAME;
+
 import java.io.IOException;
 import java.util.Map;
 import lombok.RequiredArgsConstructor;
@@ -9,6 +11,7 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestAttribute;
 
 /** @author Max David Günther */
 @Controller
@@ -18,10 +21,12 @@ public class ReactiveVoyagerController {
   @Autowired private VoyagerIndexHtmlTemplate indexTemplate;
 
   @GetMapping(path = "${graphql.voyager.mapping:/voyager}")
-  public ResponseEntity<String> voyager(@PathVariable Map<String, String> params)
+  public ResponseEntity<String> voyager(
+      final @RequestAttribute(value = CSRF_ATTRIBUTE_NAME, required = false) Object csrf,
+      @PathVariable Map<String, String> params)
       throws IOException {
     // no context path in spring-webflux
-    String indexHtmlContent = indexTemplate.fillIndexTemplate("", params);
+    String indexHtmlContent = indexTemplate.fillIndexTemplate("", csrf, params);
     return ResponseEntity.ok()
         .contentType(MediaType.valueOf("text/html; charset=UTF-8"))
         .body(indexHtmlContent);
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerAutoConfiguration.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerAutoConfiguration.java
index c6ed9574..20e8e6bd 100644
--- a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerAutoConfiguration.java
+++ b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerAutoConfiguration.java
@@ -17,8 +17,8 @@
 public class VoyagerAutoConfiguration {
 
   @Bean
-  VoyagerController voyagerController() {
-    return new VoyagerController();
+  VoyagerController voyagerController(VoyagerIndexHtmlTemplate voyagerIndexHtmlTemplate) {
+    return new VoyagerController(voyagerIndexHtmlTemplate);
   }
 
   @Bean
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerController.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerController.java
index 8e1ebd70..bb6fde1f 100644
--- a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerController.java
+++ b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerController.java
@@ -1,26 +1,33 @@
 package graphql.kickstart.autoconfigure.editor.voyager;
 
+import static graphql.kickstart.autoconfigure.editor.EditorConstants.CSRF_ATTRIBUTE_NAME;
+
 import java.io.IOException;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
-import org.springframework.beans.factory.annotation.Autowired;
+import lombok.RequiredArgsConstructor;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestAttribute;
 
 /** @author Max David Günther */
 @Controller
+@RequiredArgsConstructor
 public class VoyagerController {
 
-  @Autowired private VoyagerIndexHtmlTemplate indexTemplate;
+  private final VoyagerIndexHtmlTemplate indexTemplate;
 
   @GetMapping(value = "${graphql.voyager.mapping:/voyager}")
   public ResponseEntity<String> voyager(
-      HttpServletRequest request, @PathVariable Map<String, String> params) throws IOException {
+      HttpServletRequest request,
+      final @RequestAttribute(value = CSRF_ATTRIBUTE_NAME, required = false) Object csrf,
+      @PathVariable Map<String, String> params)
+      throws IOException {
     String contextPath = request.getContextPath();
-    String indexHtmlContent = indexTemplate.fillIndexTemplate(contextPath, params);
+    String indexHtmlContent = indexTemplate.fillIndexTemplate(contextPath, csrf, params);
     return ResponseEntity.ok()
         .contentType(MediaType.valueOf("text/html; charset=UTF-8"))
         .body(indexHtmlContent);
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerIndexHtmlTemplate.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerIndexHtmlTemplate.java
index d8c598b1..c15f9115 100644
--- a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerIndexHtmlTemplate.java
+++ b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerIndexHtmlTemplate.java
@@ -1,5 +1,8 @@
 package graphql.kickstart.autoconfigure.editor.voyager;
 
+import static graphql.kickstart.autoconfigure.editor.EditorConstants.CSRF_ATTRIBUTE_NAME;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.HashMap;
@@ -21,9 +24,10 @@ public class VoyagerIndexHtmlTemplate {
   private static final String FAVICON_APIS_GURU =
       "//apis.guru/graphql-voyager/icons/favicon-16x16.png";
 
+  private final ObjectMapper objectMapper = new ObjectMapper();
   private final VoyagerPropertiesConfiguration voyagerConfiguration;
 
-  public String fillIndexTemplate(String contextPath, Map<String, String> params)
+  public String fillIndexTemplate(String contextPath, Object csrf, Map<String, String> params)
       throws IOException {
     String template =
         StreamUtils.copyToString(
@@ -34,6 +38,11 @@ public String fillIndexTemplate(String contextPath, Map<String, String> params)
     String voyagerCdnVersion = voyagerConfiguration.getCdn().getVersion();
 
     Map<String, String> replacements = new HashMap<>();
+    if (csrf != null) {
+      replacements.put(CSRF_ATTRIBUTE_NAME, objectMapper.writeValueAsString(csrf));
+    } else {
+      replacements.put(CSRF_ATTRIBUTE_NAME, "null");
+    }
     replacements.put("graphqlEndpoint", constructGraphQlEndpoint(contextPath, params));
     replacements.put("pageTitle", voyagerConfiguration.getPageTitle());
     replacements.put("pageFavicon", getResourceUrl(basePath, "favicon.ico", FAVICON_APIS_GURU));
diff --git a/graphql-spring-boot-autoconfigure/src/main/resources/templates/voyager.html b/graphql-spring-boot-autoconfigure/src/main/resources/templates/voyager.html
index bfbb57ae..332ed226 100644
--- a/graphql-spring-boot-autoconfigure/src/main/resources/templates/voyager.html
+++ b/graphql-spring-boot-autoconfigure/src/main/resources/templates/voyager.html
@@ -1,88 +1,105 @@
 <!DOCTYPE html>
 <html>
-    <head>
-        <script src="${es6PromiseJsUrl}"></script>
-        <script src="${fetchJsUrl}"></script>
-        <script src="${reactJsUrl}"></script>
-        <script src="${reactDomJsUrl}"></script>
+<head>
+    <script src="${es6PromiseJsUrl}"></script>
+    <script src="${fetchJsUrl}"></script>
+    <script src="${reactJsUrl}"></script>
+    <script src="${reactDomJsUrl}"></script>
 
-        <link rel="stylesheet" href="${voyagerCssUrl}"/>
-        <link rel="icon" type="image/x-icon" href="${pageFavicon}">
-        <script src="${voyagerJsUrl}"></script>
-        <script src="${voyagerWorkerJsUrl}"></script>
+    <link rel="stylesheet" href="${voyagerCssUrl}"/>
+    <link rel="icon" type="image/x-icon" href="${pageFavicon}">
+    <script src="${voyagerJsUrl}"></script>
+    <script src="${voyagerWorkerJsUrl}"></script>
 
-        <meta charset="utf-8">
-        <meta name="viewport" content="user-scalable=no, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0">
-        <title>${pageTitle}</title>
-        <style>
-             body {
-               padding: 0;
-               margin: 0;
-               width: 100%;
-               height: 100vh;
-               overflow: hidden;
-             }
-             #voyager {
-               height: 100%;
-               position: relative;
-             }
-        </style>
-    </head>
-    <body>
-        <div id="voyager">
-            <div class="graphql-voyager">
-                <div class="doc-panel">
-                    <div class="contents">
-                        <div class="type-doc">
-                            <span class="loading"> Loading... </span>;
-                        </div>
-                        <div class="powered-by">🛰 Powered by <a href="https://github.com/APIs-guru/graphql-voyager" target="_blank">GraphQL Voyager</a></div>
-                    </div>
+    <meta charset="utf-8">
+    <meta name="viewport"
+          content="user-scalable=no, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0">
+    <title>${pageTitle}</title>
+    <style>
+        body {
+            padding: 0;
+            margin: 0;
+            width: 100%;
+            height: 100vh;
+            overflow: hidden;
+        }
+
+        #voyager {
+            height: 100%;
+            position: relative;
+        }
+    </style>
+</head>
+<body>
+<div id="voyager">
+    <div class="graphql-voyager">
+        <div class="doc-panel">
+            <div class="contents">
+                <div class="type-doc">
+                    <span class="loading"> Loading... </span>;
                 </div>
-                <div class="viewport"></div>
-                <div class="loading-box visible">
+                <div class="powered-by">🛰 Powered by <a
+                    href="https://github.com/APIs-guru/graphql-voyager" target="_blank">GraphQL
+                    Voyager</a></div>
+            </div>
+        </div>
+        <div class="viewport"></div>
+        <div class="loading-box visible">
                   <span class="loading-animation">
-                    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 490.8 438.1"><path d="M334.2 285c-2.3-2.3-6.1-2.3-8.5 0l-6.5 6.5-10.1-10.1 2.9-2.9c4.7-4.7 4.7-12.3 0-17l-2.6-2.6c.2-.6.4-1.3.4-2.1V217c22.9 15.1 46.9 23.5 67.7 23.5 4.8 0 9.5-.5 13.9-1.4 4.3-.9 7.8-4.1 9.1-8.3 1.3-4.2.1-8.8-3-11.9l-53.1-53.1v-24.3c1.2.2 2.5.4 3.7.4 5.1 0 9.9-2 13.5-5.6 7.5-7.5 7.5-19.6 0-27.1-3.6-3.6-8.4-5.6-13.5-5.6s-9.9 2-13.5 5.6c-3.6 3.6-5.6 8.4-5.6 13.5 0 1.3.1 2.5.4 3.7h-24.3L252 73.3c-2.3-2.3-5.3-3.5-8.5-3.5-1.1 0-2.3.2-3.4.5-4.2 1.3-7.4 4.7-8.3 9.1-4.9 23.5 3.4 53.2 22.2 81.6h-39.8c-.5 0-1 .1-1.5.2 3.3-5.3 2.7-12.4-1.9-17-1.9-1.9-4.2-3.1-6.7-3.7L177.6 30c.4-.3.8-.7 1.2-1.1 5.5-5.5 5.5-14.5 0-20s-14.5-5.5-20 0-5.5 14.5 0 20c2 2 4.5 3.3 7.1 3.8l26.2 110.6c-.3.3-.7.6-1 .9-5.3 5.3-5.3 14 0 19.3.3.3.7.6 1 .9L159.8 197c-.3-.4-.6-.7-.9-1-5.3-5.3-14-5.3-19.3 0-.3.3-.6.7-.9 1L28 170.7c-.6-2.7-1.9-5.1-3.8-7.1-5.5-5.5-14.5-5.5-20 0-2.7 2.7-4.1 6.2-4.1 10s1.5 7.3 4.1 10c2.8 2.8 6.4 4.1 10 4.1 3.6 0 7.2-1.4 10-4.1.4-.4.7-.8 1.1-1.2L136 208.6c.5 2.4 1.8 4.8 3.7 6.7 2.7 2.7 6.2 4 9.7 4 2.1 0 4.2-.5 6.1-1.5l.3.3 99.9 99.9c2.3 2.3 5.3 3.5 8.5 3.5s6.2-1.3 8.5-3.5l3.4-3.4 10.1 10.1-7.4 7.4c-2.3 2.3-2.3 6.1 0 8.5l95.7 95.7c.3.3.6.5.9.8h.1c.3.2.6.4 1 .5h.1c.3.1.7.2 1 .3h.1c.4.1.7.1 1.1.1s.7 0 1.1-.1h.1c.4-.1.7-.2 1-.3h.1c.3-.1.7-.3 1-.5h.1c.7-.4 1.2-1 1.7-1.7v-.1c.2-.3.4-.6.5-1v-.1c.1-.3.2-.7.3-1v-.1c.1-.4.1-.7.1-1.1v-40.9h40.9c1.7 0 3.3-.7 4.4-1.9 0 0 .1 0 .1-.1 2.3-2.3 2.3-6.1 0-8.5l-96-95.6zm38.3 94.2h-34.9v-34.9h34.9v34.9zM325.7 302v30.3h-30.3l30.3-30.3zm0 42.3v26.4l-26.4-26.4h26.4zm12-12v-26.9l26.9 26.9h-26.9zm-69.3-114.4h29.3v29.3l-29.3-29.3zm-3.5-42L295 206h-30.1v-30.1zm63.9-25.5l3.4-3.4v6.8l-3.4-3.4zm14.2-32.7c1.3-1.3 3.1-2.1 5-2.1s3.7.7 5 2.1c2.8 2.8 2.8 7.3 0 10.1-1.3 1.3-3.1 2.1-5 2.1s-3.7-.7-5-2.1-2.1-3.1-2.1-5 .7-3.7 2.1-5.1zm-19.2 20.8l-3.4 3.4-3.4-3.4h6.8zm-80.5-56.6l145.6 145.6c-3.6.7-7.5 1.1-11.5 1.1-21.7 0-48.5-10.8-73.4-30.5l-31.4-31.4c-23.2-29.4-34.1-61.6-29.3-84.8zm9.6 120.5L223.5 173h29.3v29.4zm-88.8 7.2l39.5-39.5 99.9 99.9-5.4 5.4c-.8.3-1.5.7-2.1 1.3-.6.6-1 1.3-1.3 2.1l-21.3 21.3c-.8.3-1.5.7-2.1 1.3-.6.6-1 1.3-1.3 2.1l-6 6-99.9-99.9zm120.3 96.5l16.3-16.3 10.1 10.1-16.3 16.3-10.1-10.1zm88.1 111.5l-26.4-26.4h26.4v26.4zm12-65.3l26.9 26.9h-26.9v-26.9z"></path><path d="M217.5 198.2c-5.2 0-10.2 1.5-14.5 4.5-11.8 8-14.9 24.1-6.9 35.9 4.8 7.1 12.8 11.4 21.4 11.4 5.2 0 10.2-1.5 14.5-4.5 5.7-3.9 9.6-9.7 10.9-16.5 1.3-6.8-.1-13.7-4-19.4-4.8-7.2-12.8-11.4-21.4-11.4zm7.8 37.3c-2.4 1.6-5.1 2.4-7.8 2.4-4.4 0-8.8-2.1-11.5-6.1-4.3-6.3-2.6-14.9 3.7-19.2 2.4-1.6 5.1-2.4 7.8-2.4 4.4 0 8.8 2.1 11.5 6.1 4.2 6.3 2.6 14.9-3.7 19.2z"></path><path class="voyager-signal1" d="M369.5 101.3c5.1 5.1 10.3 9.4 14.6 12.2 2.6 1.7 5.9 3.6 8.9 3.6 1.4 0 2.6-.4 3.7-1.4 5.8-5.8-8.1-20.9-14.3-27.2-5.1-5.1-10.3-9.4-14.6-12.2-3.8-2.5-9.3-5.4-12.5-2.1-5.9 5.7 8 20.8 14.2 27.1zm7.9-7.9c6.6 6.6 10.6 12 12.4 15.4-3.3-1.9-8.8-5.9-15.4-12.4-6.6-6.6-10.6-12-12.4-15.4 3.4 1.8 8.8 5.8 15.4 12.4z"></path><path class="voyager-signal2" d="M390 80.8c4.4 4.4 24.2 23.6 34.7 23.6 1.7 0 3.1-.5 4.2-1.6 8.1-8.1-16.9-33.9-22-39-5.1-5.1-30.9-30.1-39-22-3.1 3.1-2 8.4 3.5 16.8 4.4 6.7 11 14.5 18.6 22.2zm12-12.1c13.9 13.9 20.4 24.6 21.4 28.5-3.9-1.1-14.6-7.5-28.5-21.4-13.9-13.9-20.4-24.6-21.4-28.5 4 1.1 14.6 7.5 28.5 21.4z"></path><path class="voyager-signal3" d="M462.5 67c-6.5-9.2-16.2-20.4-27.3-31.5-11-11-22.2-20.7-31.4-27.2-11.5-8.1-18-10.1-21.5-6.6s-1.5 9.9 6.6 21.5c6.5 9.2 16.2 20.4 27.3 31.5 11.1 11.1 22.3 20.8 31.5 27.3 7.9 5.6 13.4 8.3 17.2 8.3 1.7 0 3.1-.6 4.2-1.7 3.5-3.6 1.6-10-6.6-21.6zm-41.4-17.3C399.4 28 389.3 12.4 387.8 7.2c5.2 1.5 20.8 11.6 42.5 33.3C452 62.2 462 77.8 463.6 83c-5.2-1.6-20.8-11.6-42.5-33.3z"></path></svg>
+                    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 490.8 438.1"><path
+                        d="M334.2 285c-2.3-2.3-6.1-2.3-8.5 0l-6.5 6.5-10.1-10.1 2.9-2.9c4.7-4.7 4.7-12.3 0-17l-2.6-2.6c.2-.6.4-1.3.4-2.1V217c22.9 15.1 46.9 23.5 67.7 23.5 4.8 0 9.5-.5 13.9-1.4 4.3-.9 7.8-4.1 9.1-8.3 1.3-4.2.1-8.8-3-11.9l-53.1-53.1v-24.3c1.2.2 2.5.4 3.7.4 5.1 0 9.9-2 13.5-5.6 7.5-7.5 7.5-19.6 0-27.1-3.6-3.6-8.4-5.6-13.5-5.6s-9.9 2-13.5 5.6c-3.6 3.6-5.6 8.4-5.6 13.5 0 1.3.1 2.5.4 3.7h-24.3L252 73.3c-2.3-2.3-5.3-3.5-8.5-3.5-1.1 0-2.3.2-3.4.5-4.2 1.3-7.4 4.7-8.3 9.1-4.9 23.5 3.4 53.2 22.2 81.6h-39.8c-.5 0-1 .1-1.5.2 3.3-5.3 2.7-12.4-1.9-17-1.9-1.9-4.2-3.1-6.7-3.7L177.6 30c.4-.3.8-.7 1.2-1.1 5.5-5.5 5.5-14.5 0-20s-14.5-5.5-20 0-5.5 14.5 0 20c2 2 4.5 3.3 7.1 3.8l26.2 110.6c-.3.3-.7.6-1 .9-5.3 5.3-5.3 14 0 19.3.3.3.7.6 1 .9L159.8 197c-.3-.4-.6-.7-.9-1-5.3-5.3-14-5.3-19.3 0-.3.3-.6.7-.9 1L28 170.7c-.6-2.7-1.9-5.1-3.8-7.1-5.5-5.5-14.5-5.5-20 0-2.7 2.7-4.1 6.2-4.1 10s1.5 7.3 4.1 10c2.8 2.8 6.4 4.1 10 4.1 3.6 0 7.2-1.4 10-4.1.4-.4.7-.8 1.1-1.2L136 208.6c.5 2.4 1.8 4.8 3.7 6.7 2.7 2.7 6.2 4 9.7 4 2.1 0 4.2-.5 6.1-1.5l.3.3 99.9 99.9c2.3 2.3 5.3 3.5 8.5 3.5s6.2-1.3 8.5-3.5l3.4-3.4 10.1 10.1-7.4 7.4c-2.3 2.3-2.3 6.1 0 8.5l95.7 95.7c.3.3.6.5.9.8h.1c.3.2.6.4 1 .5h.1c.3.1.7.2 1 .3h.1c.4.1.7.1 1.1.1s.7 0 1.1-.1h.1c.4-.1.7-.2 1-.3h.1c.3-.1.7-.3 1-.5h.1c.7-.4 1.2-1 1.7-1.7v-.1c.2-.3.4-.6.5-1v-.1c.1-.3.2-.7.3-1v-.1c.1-.4.1-.7.1-1.1v-40.9h40.9c1.7 0 3.3-.7 4.4-1.9 0 0 .1 0 .1-.1 2.3-2.3 2.3-6.1 0-8.5l-96-95.6zm38.3 94.2h-34.9v-34.9h34.9v34.9zM325.7 302v30.3h-30.3l30.3-30.3zm0 42.3v26.4l-26.4-26.4h26.4zm12-12v-26.9l26.9 26.9h-26.9zm-69.3-114.4h29.3v29.3l-29.3-29.3zm-3.5-42L295 206h-30.1v-30.1zm63.9-25.5l3.4-3.4v6.8l-3.4-3.4zm14.2-32.7c1.3-1.3 3.1-2.1 5-2.1s3.7.7 5 2.1c2.8 2.8 2.8 7.3 0 10.1-1.3 1.3-3.1 2.1-5 2.1s-3.7-.7-5-2.1-2.1-3.1-2.1-5 .7-3.7 2.1-5.1zm-19.2 20.8l-3.4 3.4-3.4-3.4h6.8zm-80.5-56.6l145.6 145.6c-3.6.7-7.5 1.1-11.5 1.1-21.7 0-48.5-10.8-73.4-30.5l-31.4-31.4c-23.2-29.4-34.1-61.6-29.3-84.8zm9.6 120.5L223.5 173h29.3v29.4zm-88.8 7.2l39.5-39.5 99.9 99.9-5.4 5.4c-.8.3-1.5.7-2.1 1.3-.6.6-1 1.3-1.3 2.1l-21.3 21.3c-.8.3-1.5.7-2.1 1.3-.6.6-1 1.3-1.3 2.1l-6 6-99.9-99.9zm120.3 96.5l16.3-16.3 10.1 10.1-16.3 16.3-10.1-10.1zm88.1 111.5l-26.4-26.4h26.4v26.4zm12-65.3l26.9 26.9h-26.9v-26.9z"></path><path
+                        d="M217.5 198.2c-5.2 0-10.2 1.5-14.5 4.5-11.8 8-14.9 24.1-6.9 35.9 4.8 7.1 12.8 11.4 21.4 11.4 5.2 0 10.2-1.5 14.5-4.5 5.7-3.9 9.6-9.7 10.9-16.5 1.3-6.8-.1-13.7-4-19.4-4.8-7.2-12.8-11.4-21.4-11.4zm7.8 37.3c-2.4 1.6-5.1 2.4-7.8 2.4-4.4 0-8.8-2.1-11.5-6.1-4.3-6.3-2.6-14.9 3.7-19.2 2.4-1.6 5.1-2.4 7.8-2.4 4.4 0 8.8 2.1 11.5 6.1 4.2 6.3 2.6 14.9-3.7 19.2z"></path><path
+                        class="voyager-signal1"
+                        d="M369.5 101.3c5.1 5.1 10.3 9.4 14.6 12.2 2.6 1.7 5.9 3.6 8.9 3.6 1.4 0 2.6-.4 3.7-1.4 5.8-5.8-8.1-20.9-14.3-27.2-5.1-5.1-10.3-9.4-14.6-12.2-3.8-2.5-9.3-5.4-12.5-2.1-5.9 5.7 8 20.8 14.2 27.1zm7.9-7.9c6.6 6.6 10.6 12 12.4 15.4-3.3-1.9-8.8-5.9-15.4-12.4-6.6-6.6-10.6-12-12.4-15.4 3.4 1.8 8.8 5.8 15.4 12.4z"></path><path
+                        class="voyager-signal2"
+                        d="M390 80.8c4.4 4.4 24.2 23.6 34.7 23.6 1.7 0 3.1-.5 4.2-1.6 8.1-8.1-16.9-33.9-22-39-5.1-5.1-30.9-30.1-39-22-3.1 3.1-2 8.4 3.5 16.8 4.4 6.7 11 14.5 18.6 22.2zm12-12.1c13.9 13.9 20.4 24.6 21.4 28.5-3.9-1.1-14.6-7.5-28.5-21.4-13.9-13.9-20.4-24.6-21.4-28.5 4 1.1 14.6 7.5 28.5 21.4z"></path><path
+                        class="voyager-signal3"
+                        d="M462.5 67c-6.5-9.2-16.2-20.4-27.3-31.5-11-11-22.2-20.7-31.4-27.2-11.5-8.1-18-10.1-21.5-6.6s-1.5 9.9 6.6 21.5c6.5 9.2 16.2 20.4 27.3 31.5 11.1 11.1 22.3 20.8 31.5 27.3 7.9 5.6 13.4 8.3 17.2 8.3 1.7 0 3.1-.6 4.2-1.7 3.5-3.6 1.6-10-6.6-21.6zm-41.4-17.3C399.4 28 389.3 12.4 387.8 7.2c5.2 1.5 20.8 11.6 42.5 33.3C452 62.2 462 77.8 463.6 83c-5.2-1.6-20.8-11.6-42.5-33.3z"></path></svg>
                     <h1> Transmitting... </h1>
                   </span>
-                </div>
-            </div>
         </div>
-        <script>
-            function introspectionProvider(introspectionQuery) {
-                return fetch('${graphqlEndpoint}', {
-                    method: 'post',
-                    headers: {
-                        'Accept': 'application/json',
-                        'Content-Type': 'application/json'
-                    },
-                    body: JSON.stringify({ query: introspectionQuery }),
-                    credentials: 'include'
-                }).then(function(response) {
-                    return response.text();
-                }).then(function(responseBody) {
-                    try {
-                        return JSON.parse(responseBody);
-                    } catch(error) {
-                        return responseBody;
-                    }
-                });
+    </div>
+</div>
+<script>
+    function introspectionProvider(introspectionQuery) {
+        let headers = {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json'
+        }
+        let csrf = ${_csrf}
+        if (csrf) {
+            headers[csrf.headerName] = csrf.token;
+        }
+        return fetch('${graphqlEndpoint}', {
+            method: 'post',
+            headers: headers,
+            body: JSON.stringify({query: introspectionQuery}),
+            credentials: 'include'
+        }).then(function (response) {
+            return response.text();
+        }).then(function (responseBody) {
+            try {
+                return JSON.parse(responseBody);
+            } catch (error) {
+                return responseBody;
             }
+        });
+    }
 
-            // Render <Voyager /> into the body.
-            GraphQLVoyager.init(document.getElementById('voyager'), {
-                introspection: introspectionProvider,
-                displayOptions: {
-                    skipRelay: ${voyagerDisplayOptionsSkipRelay},
-                    skipDeprecated: ${voyagerDisplayOptionsSkipDeprecated},
-                    rootType: '${voyagerDisplayOptionsRootType}',
-                    sortByAlphabet: ${voyagerDisplayOptionsSortByAlphabet},
-                    showLeafFields: ${voyagerDisplayOptionsShowLeafFields},
-                    hideRoot: ${voyagerDisplayOptionsHideRoot},
-                },
-                hideDocs: ${voyagerHideDocs},
-                hideSettings: ${voyagerHideSettings},
-            })
-        </script>
-    </body>
+    // Render <Voyager /> into the body.
+    GraphQLVoyager.init(document.getElementById('voyager'), {
+        introspection: introspectionProvider,
+        displayOptions: {
+            skipRelay: ${voyagerDisplayOptionsSkipRelay},
+            skipDeprecated: ${voyagerDisplayOptionsSkipDeprecated},
+            rootType: '${voyagerDisplayOptionsRootType}',
+            sortByAlphabet: ${voyagerDisplayOptionsSortByAlphabet},
+            showLeafFields: ${voyagerDisplayOptionsShowLeafFields},
+            hideRoot: ${voyagerDisplayOptionsHideRoot},
+        },
+        hideDocs: ${voyagerHideDocs},
+        hideSettings: ${voyagerHideSettings},
+    })
+</script>
+</body>
 </html>
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/PermitAllWebSecurity.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/PermitAllWebSecurity.java
new file mode 100644
index 00000000..fd713e57
--- /dev/null
+++ b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/PermitAllWebSecurity.java
@@ -0,0 +1,16 @@
+package graphql.kickstart.autoconfigure;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+public class PermitAllWebSecurity extends WebSecurityConfigurerAdapter {
+
+  @Override
+  protected void configure(final HttpSecurity http) throws Exception {
+    http.authorizeRequests().anyRequest().permitAll();
+  }
+}
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerWithCsrfTest.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerWithCsrfTest.java
new file mode 100644
index 00000000..80759313
--- /dev/null
+++ b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerWithCsrfTest.java
@@ -0,0 +1,46 @@
+package graphql.kickstart.autoconfigure.editor.voyager;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import graphql.kickstart.autoconfigure.PermitAllWebSecurity;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Import;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+
+@ExtendWith(SpringExtension.class)
+@Import(PermitAllWebSecurity.class)
+@SpringBootTest(
+    classes = {VoyagerAutoConfiguration.class, SecurityAutoConfiguration.class},
+    properties = {"spring.main.web-application-type=servlet"})
+@AutoConfigureMockMvc
+@ActiveProfiles("voyager")
+class VoyagerWithCsrfTest {
+
+  @Autowired private MockMvc mockMvc;
+
+  @Test
+  void shouldLoadCSRFData() throws Exception {
+    final MvcResult mvcResult =
+        mockMvc.perform(get("/voyager")).andExpect(status().isOk()).andReturn();
+
+    final Document document = Jsoup.parse(mvcResult.getResponse().getContentAsString());
+    final String script = document.body().select("body script").dataNodes().get(0).getWholeData();
+    assertThat(script)
+        .contains("let csrf = {\"")
+        .contains("\"token\":\"")
+        .contains("\"parameterName\":\"_csrf\"")
+        .contains("\"headerName\":\"X-CSRF-TOKEN\"");
+  }
+}
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerWithoutCsrfTest.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerWithoutCsrfTest.java
new file mode 100644
index 00000000..7507cc12
--- /dev/null
+++ b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerWithoutCsrfTest.java
@@ -0,0 +1,36 @@
+package graphql.kickstart.autoconfigure.editor.voyager;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+
+@ExtendWith(SpringExtension.class)
+@SpringBootTest(classes = {VoyagerAutoConfiguration.class})
+@AutoConfigureMockMvc
+@ActiveProfiles("voyager")
+class VoyagerWithoutCsrfTest {
+
+  @Autowired private MockMvc mockMvc;
+
+  @Test
+  void shouldLoadCSRFData() throws Exception {
+    final MvcResult mvcResult =
+        mockMvc.perform(get("/voyager")).andExpect(status().isOk()).andReturn();
+
+    final Document document = Jsoup.parse(mvcResult.getResponse().getContentAsString());
+    final String script = document.body().select("body script").dataNodes().get(0).getWholeData();
+    assertThat(script).contains("let csrf = null");
+  }
+}
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoAutoConfigurationTest.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoAutoConfigurationTest.java
index 10816035..4fccbeb4 100644
--- a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoAutoConfigurationTest.java
+++ b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoAutoConfigurationTest.java
@@ -9,6 +9,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoGenericWrapperAlreadyDefinedTest.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoGenericWrapperAlreadyDefinedTest.java
index 79839de3..8562ee45 100644
--- a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoGenericWrapperAlreadyDefinedTest.java
+++ b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/reactive/MonoGenericWrapperAlreadyDefinedTest.java
@@ -4,6 +4,7 @@
 
 import graphql.kickstart.tools.SchemaParserOptions.GenericWrapper;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.json.JSONException;
 import org.json.JSONObject;
@@ -18,6 +19,7 @@
 import org.springframework.test.web.reactive.server.WebTestClient;
 import reactor.core.publisher.Mono;
 
+@Slf4j
 @RequiredArgsConstructor
 @ExtendWith(SpringExtension.class)
 @SpringBootTest(
@@ -41,6 +43,7 @@ void monoWrapper() throws JSONException {
             .exchange()
             .returnResult(String.class);
     val response = result.getResponseBody().blockFirst();
+    log.info("Response: {}", response);
     val json = new JSONObject(response);
     assertThat(json.getJSONObject("data").get("hello")).isEqualTo("Hello world");
   }
diff --git a/graphql-spring-boot-autoconfigure/src/test/resources/application.yml b/graphql-spring-boot-autoconfigure/src/test/resources/application.yml
index 7c27c886..f8da4096 100644
--- a/graphql-spring-boot-autoconfigure/src/test/resources/application.yml
+++ b/graphql-spring-boot-autoconfigure/src/test/resources/application.yml
@@ -3,4 +3,8 @@ server:
   forward-headers-strategy: framework
 spring:
   autoconfigure:
-    exclude: org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration
+    exclude:
+      - org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
+      - org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
+      - org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration
+      - org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration