Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is CSRF mandatory for a backend REST application consuming JSON only?

Numerous resources claim that (source1) (source2)

For resources exposed by RESTful web services, it's important to make sure any PUT, POST, and DELETE request is protected from Cross Site Request Forgery.

CSRF is mandatory for all applications with a minimum of concern about web security

However the Spring Security docs say:

use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

So, is it ok to disable CSRF for an application that?

  • only exposes a REST API
  • only consumes JSON (checks the requests Content-Type header)
like image 419
Adam Siemion Avatar asked Dec 01 '15 20:12

Adam Siemion


1 Answers

It depends on the client of your API. CSRF attacks are based on the fact that client automatically sends cookies (authorization) of requested URL with the HTTP request. If your client is not doing that (typically browsers do that automatically), you should be OK.

The reason why is: If your API consumer is not authenticated/authorized in your application via cookies (that are automatically stored by the browser), attacker cannot use any other web page to do successful CSRF attack (send HTTP request from other page with cookies of your API from browser).

In other words, I can't imagine that you will have API client written in a way that it can send requests to your API, store cookies (your authentication) and also can somehow show you some content that "silly" user interacts - sends requests to your API with cookies (your authentication) from previous API requests.

like image 175
zdenda.online Avatar answered Oct 21 '22 17:10

zdenda.online