Hi,
When you send a POST to an endpoint protected by randomTokenCsrfProtection and pass in an empty X-XSRF-TOKEN header and a XSRF-TOKEN cookie with empty value, the filter will let you pass.

I think is due to the check in randomTokenCsrfProtection on line 26:
if (submitted == cookie) {
pass
}
but the value itself is not inspected and could possibly be empty.

Hope this can be fixed, thanks,
Willem

Fixed in 0.5.11. Thanks for the report!