I don't believe there's much you need to do. Boot doesn't do anything specific, as far as I saw in the docs [1], it's just relying on Spring Security. The info here [2] should be most relevant, assuming you're no Boot 2.0. Section 19.4 walks through what you need to do, which isn't all that much.
1.) Don't overload GET. Make proper use of PUT/POST/DELETE and other HTTP verbs.
2.) You don't need to enable CSRF protection as it's enabled by default. You can verify by trying to submit one of your forms. You should see a 403 "access denied" response. This is because of the CSRF protection.
3.) Modify your forms to include the CSRF token. When submitted with the token, you'll get past the 403. The csrfInput tag you mentioned should do exactly that.
If you're having issues check section 19.5 "Caveats" to see if you're running into any of those issues.
Hope that helps!
[1] - https://docs.spring.io/spring-boot/docs/2.0.4.RELEASE/reference/htmlsingle/#boot-features-security-csrf
[2] - https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/htmlsingle/#csrf