diff --git a/application/src/main/java/run/halo/app/security/CsrfConfigurer.java b/application/src/main/java/run/halo/app/security/CsrfConfigurer.java
index bac91e04bc..229050cfb6 100644
--- a/application/src/main/java/run/halo/app/security/CsrfConfigurer.java
+++ b/application/src/main/java/run/halo/app/security/CsrfConfigurer.java
@@ -1,30 +1,29 @@
 package run.halo.app.security;
 
-import static org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.withHttpOnlyFalse;
 import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
 
 import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
 import org.springframework.security.web.server.csrf.CsrfWebFilter;
-import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler;
+import org.springframework.security.web.server.csrf.XorServerCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher;
 import org.springframework.stereotype.Component;
 import run.halo.app.security.authentication.SecurityConfigurer;
 
 @Component
-public class CsrfConfigurer implements SecurityConfigurer {
+class CsrfConfigurer implements SecurityConfigurer {
 
     @Override
     public void configure(ServerHttpSecurity http) {
         var csrfMatcher = new AndServerWebExchangeMatcher(
             CsrfWebFilter.DEFAULT_CSRF_MATCHER,
-            new NegatedServerWebExchangeMatcher(pathMatchers("/api/**", "/apis/**", "/system/setup")
-            ));
+            new NegatedServerWebExchangeMatcher(
+                pathMatchers("/api/**", "/apis/**", "/system/setup"))
+        );
         http.csrf(csrfSpec -> csrfSpec
-            .csrfTokenRepository(withHttpOnlyFalse())
-            // TODO Use XorServerCsrfTokenRequestAttributeHandler instead when console implements
-            // the algorithm
-            .csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler())
+            .csrfTokenRepository(new CookieServerCsrfTokenRepository())
+            .csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler())
             .requireCsrfProtectionMatcher(csrfMatcher));
     }
 
diff --git a/application/src/test/java/run/halo/app/infra/exception/handlers/I18nExceptionTest.java b/application/src/test/java/run/halo/app/infra/exception/handlers/I18nExceptionTest.java
index e217f3cfb9..2dbc0ccfa8 100644
--- a/application/src/test/java/run/halo/app/infra/exception/handlers/I18nExceptionTest.java
+++ b/application/src/test/java/run/halo/app/infra/exception/handlers/I18nExceptionTest.java
@@ -1,6 +1,7 @@
 package run.halo.app.infra.exception.handlers;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.csrf;
 
 import java.util.Locale;
 import org.junit.jupiter.api.AfterEach;
@@ -121,9 +122,8 @@ void shouldGetErrorIfThrowingGeneralException() {
 
     @Test
     void shouldGetConflictError() {
-        webClient.put().uri("/response-entity/conflict-error")
-            .header("X-XSRF-TOKEN", "fake-token")
-            .cookie("XSRF-TOKEN", "fake-token")
+        webClient.mutate().apply(csrf()).build()
+            .put().uri("/response-entity/conflict-error")
             .exchange()
             .expectStatus().isEqualTo(HttpStatus.CONFLICT)
             .expectBody(ProblemDetail.class)