diff --git a/src/main/java/com/ase/userservice/controllers/DemoController.java b/src/main/java/com/ase/userservice/controllers/DemoController.java
index 36062429..823727ec 100644
--- a/src/main/java/com/ase/userservice/controllers/DemoController.java
+++ b/src/main/java/com/ase/userservice/controllers/DemoController.java
@@ -5,7 +5,6 @@
 
 @RestController
 public class DemoController {
-
 	// to manage access, add route rules in security/SecurityConfig.java like in the
 	// examples
 	@GetMapping("/demo")
diff --git a/src/main/java/com/ase/userservice/security/JwtAuthConverter.java b/src/main/java/com/ase/userservice/security/JwtAuthConverter.java
index 6cebcdd3..197ad76d 100644
--- a/src/main/java/com/ase/userservice/security/JwtAuthConverter.java
+++ b/src/main/java/com/ase/userservice/security/JwtAuthConverter.java
@@ -1,5 +1,6 @@
 // based on this tutorial: https://www.javacodegeeks.com/2025/07/spring-boot-keycloak-role-based-authorization.html
 
+
 package com.ase.userservice.security;
 
 import org.springframework.core.convert.converter.Converter;
diff --git a/src/main/java/com/ase/userservice/security/SecurityConfig.java b/src/main/java/com/ase/userservice/security/SecurityConfig.java
index 8c2122dd..33b68222 100644
--- a/src/main/java/com/ase/userservice/security/SecurityConfig.java
+++ b/src/main/java/com/ase/userservice/security/SecurityConfig.java
@@ -8,24 +8,26 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.web.SecurityFilterChain;
-
+ 
 @Configuration
 @EnableMethodSecurity
 public class SecurityConfig {
-
-  @Bean
-  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
-    jwtConverter.setJwtGrantedAuthoritiesConverter(new JwtAuthConverter());
-
-    // the role always has to be capatalized
-    http
-        .authorizeHttpRequests(authorize -> authorize
+ 
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
+        jwtConverter.setJwtGrantedAuthoritiesConverter(new JwtAuthConverter());
+        
+ 
+        //the role always has to be capitalized
+        http
+          .csrf(csrf -> csrf.disable()) // Disable CSRF for API endpoints isnt needed for our purpose since we are not using cookies for auth
+          .authorizeHttpRequests(authorize -> authorize
             .requestMatchers("/demo").hasRole("DEFAULT-ROLES-SAU")
             .requestMatchers("/admin/**").hasRole("admin")
             .anyRequest().authenticated())
-        .oauth2ResourceServer(oauth2 -> oauth2
+          .oauth2ResourceServer(oauth2 -> oauth2
             .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtConverter)));
-    return http.build();
-  }
+        return http.build();
+    }
 }
\ No newline at end of file