Menu
I'm looking for a (hopefully straightforward) way to add CSRF protection to an application build on Spring WebFlow 2.
An approach that migrates well to Spring WebFlow 3 (when released) is preferred.
508
Disable using security configuration code The spring boot security application allows to configure the security details in a customized class that extends WebSecurityConfigurerAdapter class. The CSRF feature can be disabled using the code “ http. csrf(). disable ()”.
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.
It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
The easiest way to prevent CSRF it to check the referer request.getHeader("referer"); to make sure the request is coming from the same domain. This method is covered by the CSRF Prevention Cheat Sheet.
Its common to see this CSRF protection system on embedded network hardware with limited memory requirements, Motorola uses this method on most of their hardware. This isn't the most secure CSRF protection, token based protection is better but both systems can still be bypassed with xss. The biggest problem with token based CSRF protection is that it takes alot of time to go back and fix every request and you will probably miss a few requests.
A secure way to implement this is to check the referer on all incoming POST requests, and use POST for sensitive functions like changing passwords, adding user accounts, executing code, making configuration changes. GET should only be used for navigation or searching, basically GET is safe for anything that doesn't cause a state change.
Make sure you test your site with a xss scanner.
86
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
