Menu
Numerous resources claim that (source1) (source2)
For resources exposed by RESTful web services, it's important to make sure any PUT, POST, and DELETE request is protected from Cross Site Request Forgery.
CSRF is mandatory for all applications with a minimum of concern about web security
However the Spring Security docs say:
use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
So, is it ok to disable CSRF for an application that?
419
It depends on the client of your API. CSRF attacks are based on the fact that client automatically sends cookies (authorization) of requested URL with the HTTP request. If your client is not doing that (typically browsers do that automatically), you should be OK.
The reason why is: If your API consumer is not authenticated/authorized in your application via cookies (that are automatically stored by the browser), attacker cannot use any other web page to do successful CSRF attack (send HTTP request from other page with cookies of your API from browser).
In other words, I can't imagine that you will have API client written in a way that it can send requests to your API, store cookies (your authentication) and also can somehow show you some content that "silly" user interacts - sends requests to your API with cookies (your authentication) from previous API requests.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
