3

I have a single page application on Spring. And I want to protect the app from CSRF attacks.

Is it possible to send a token per request in Spring Security (CSRF Synchronizer Token Pattern)?

And does Spring support such feature?

JohnWinter
  • 1,003
  • 5
  • 12
  • 25
  • Why do you want token per request over token per session? Have you considered the implications on caching? – Neil McGuigan Aug 20 '15 at 22:19
  • Because I fire multiples requests via Ajax without page reloading. If hacker will get the token from the session, then the app will be insecure. – JohnWinter Aug 20 '15 at 22:27
  • Don't let the hacker get the token then. Use httpOnly session cookie. Avoid XSS as per https://stackoverflow.com/questions/29012109/adding-additonal-security-to-website/29015666#29015666 – Neil McGuigan Aug 21 '15 at 00:28
  • @NeilMcGuigan and what about `implications on caching`? What it could be? – JohnWinter Aug 21 '15 at 00:46
  • you would not be able to use http caching with token-per-request as every response would be different. – Neil McGuigan Aug 21 '15 at 00:49
  • I'm not sure, but it seems that in my case it is no more Synchronizer Token Pattern, but Double Submit Cookies Pattern instead. Am I right? – JohnWinter Aug 21 '15 at 11:39

0 Answers0