Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security - CSRF token on GET request

Tags:

spring

spring-security

I configured CSRF protection in my Spring 5 (Boot 2) RESTful web service because I want to prevent CSRF attacks (I am using JWT cookie for authentication and authorization). On each request I am getting a new XSRF cookie. The value of that cookie I am sending back through the X-CSRF-TOKEN header.

I noticed that POST, PUT and DELETE methods require the value of this token (in the X-CSRF-TOKEN header) in order to work properly, but GET method works just fine without X-CSRF-TOKEN header.

Is this behavior intentional because GET method should not change state or I did something wrong?

like image 273
so247m Avatar asked Dec 20 '25 03:12

so247m

1 Answers

CSRF token is intentionally excluded from GET to avoid token leakage to a 3rd party

like image 114
identigral Avatar answered Dec 21 '25 20:12

identigral
Sign in to Comment

Related questions

Why does JasperReports try to load org.springframework.core.io.Resource class?
Spring boot Rest api with Spring Kafka
Using a bean from the abstract configuration class in a configuration class imported in the class implementing the abstract one
What does Spring do if spring.beaninfo.ignore is set to true?
"Manually" creating beans with Grails BeanBuilder or Spring GenericGroovyApplicationContext
Prevent hibernate from generating all query plan on startup when using spring data jpa and rest
In Spring Boot 3 how to benefit from Spring AOT with a regular JVM application?
Need a way to generate Java classes for Spring Boot

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!