Does keycloak handle CSRF protection in it's token handling?

Hello All,

I’m trying to find more information on protecting my apps/services from CSRF attacks. Does keycloak protect us from this by default or is it configurable? The only topics I can see are around protecting the keycloak UI from CSRF attacks which look to have been addressed. Does keycloak delegate CSRF protection to the application itself ?

Any insight would be greatly appreciated.