I came across with a tutorial to handle logins in Spring Security with custom forms and at some point the tutorial make this statement:

In case we are using spring <form:form>, we need not to include tag for CSRF.

Why there is no need to use CSRF with forms in JSTL?

Hope you can help, beacuse CSRF is not that well documented or at least not well explained.

<form:form> is the spring tag when using jsp which implies they are already taking care for the csfr if its their own tag. Straight from their documentation:

If you are using Spring MVC tag or Thymeleaf 2.1+ and are using @EnableWebSecurity, the CsrfToken is automatically included for you (using the CsrfRequestDataValueProcessor).link