Is it dangerous to get CSRF token from response header?

Question

If we use template engine at server side, we can pass CSRF token to client like this:

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

(From this Article)

But if we can't use template engine at all, we should pass CSRF token to client using response header like this:

CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// Spring Security will allow the Token to be included in this header name
response.setHeader("X-CSRF-HEADER", token.getHeaderName());
// Spring Security will allow the token to be included in this parameter name
response.setHeader("X-CSRF-PARAM", token.getParameterName());
// this is the value of the token to be included as either a header or an HTTP parameter
response.setHeader("X-CSRF-TOKEN", token.getToken());

public static final String DEFAULT_CSRF_TOKEN_ATTR_NAME = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
CsrfToken sessionToken = (CsrfToken) request.getSession().getAttribute(DEFAULT_CSRF_TOKEN_ATTR_NAME);

(From this Article)

In the latter way, server should provide dummy REST API to client because client can't do AJAX call before first HTML page is loaded.

Is it dangerous to get CSRF token like latter way?

It sounds incompatible. What about clients with JS disabled? — InterLinked, Aug 22 '20 at 02:03

Is it dangerous to get CSRF token from response header?

0 Answers0