2

I am seeing that all tutorials, guides are disabling the default csrf of spring boot after enabling https(SSL)?

Don't we need default CSRF? Enabling SSL will handle the csrf?

I am confused why we disabling default csrf in spring apps?

GTemp
  • 149
  • 1
  • 9
  • Does this answer your question? [What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?](https://stackoverflow.com/questions/62648098/what-does-cookie-csrftokenrepository-withhttponlyfalse-do-and-when-to-use-it) – Romil Patel Jul 02 '20 at 14:32
  • Hi, Thank you for suggested link. I am not using any UI frameworks. I am using same server side HTMLs / JSPs. – GTemp Jul 03 '20 at 16:01

1 Answers1

6

CSRF is needed when you have web forms submissions which are prone to "cross site requests" within the same browser's other tabs. These applications typically generate entire HTML on server side using template engines (like velocity, JSF, thymeleaf etc).

Modern applications however relies mostly on REST API endpoints (instead of traditional controllers which used to emit HTML). These endpoints are designed to consume and generate mostly JSON. The intended consumer of these APIs are either mobile apps, web frameworks (like reactjs, angularjs or alike) or other b2b applications. These APIs are mostly stateless and DO NOT rely on server side sessions or browser cookies. As per CSRF explanation, one of the condition is no longer relevant (Cookie-based session handling) thus these APIs are not prone to CSRF attacks. This is the primary reason why most of the modern apps (which exposes APIs only) disable CSRF for these endpoints.

Hope it helps.

Avnish
  • 1,241
  • 11
  • 19
  • thank you. Really in detail. One query is if I am not disabling CSRF, will it affect any places? Let it be right? I am not using any UI frameworks, I am using same HTML/jsp files in that app. – GTemp Jul 03 '20 at 15:58
  • Keeping CSRF checks in-place generally wouldn't adversely affect your application HTML/JSP endpoints. If, however, you choose to expose REST API endpoints from within same application, you'll likely have to disable CSRF for those selected REST endpoints to work without CSRF token in the request. – Avnish Jul 04 '20 at 08:22