diff --git a/src/main/java/de/avatic/lcc/config/SecurityConfig.java b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
index f49ea2f..5bf31d0 100644
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@@ -91,9 +91,18 @@ public class SecurityConfig {
                 )
                 .csrf(csrf -> csrf
                         .ignoringRequestMatchers("/oauth2/token") // CSRF für OAuth deaktivieren
+                        .ignoringRequestMatchers("/login/oauth2/code/**")
+                        .requireCsrfProtectionMatcher(request -> {
+
+                            String authHeader = request.getHeader("Authorization");
+                            if (authHeader != null && authHeader.startsWith("Bearer ")) {
+                                return false;
+                            }
+
+                            return true;
+                        })
                         .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                         .csrfTokenRequestHandler(new LccCsrfTokenRequestHandler())
-                        .ignoringRequestMatchers("/login/oauth2/code/**")
                 )
                 .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class)
                 .addFilterBefore(