Menu
I have Spring boot application with JWT auth which works great! But I have disabled csrf with STATELESS Policy:
.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
This Rest API is for SPA React application. I read that when I'm using JWT token then I don't need to set csrf token. Does JWT works like csrf protection(HOW)? I think that this is not csrf protection.
666
Storing the CSRF token in a JWT makes it possible for the back-end application to verify that it produced the token itself. Combining the CSRF token with an account identifier makes it impossible for attackers to reuse a token for another user, even they were able to replace cookies.
3.1 Enabling CSRF Token in Spring Securitydisable() in your Spring security config class. With default setup, if you look at the source code of the page, you will see the _csrf parameter being added automatically to the form by Spring security.
The CSRF token is stored in the client. The CSRF token is required for any later REST API calls. The client must send a valid token with every API request. The token is sent in a custom request HTTP header.
From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.
CSRF attacks are about taking advantage of the fact that browsers always includes cookies in requests to the requested server (including session IDs), So the attacker pretend that he is the genune user while performing malicious action .
If your endpoints are stateless (that means you are not using cookies for authentication) then you do not need CSRF protection .
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
