Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the reason to disable csrf in spring boot web application?

There are many tutorials where is shown how to disable csrf,

csrf().disable() 

(and other possibilities like .properties, .yml, etc.) but nowhere explained why they do this?

So my questions are:

What is the real-life reason to disable it?
Is it improves performance?

like image 777
arminvanbuuren Avatar asked Sep 17 '18 08:09

arminvanbuuren


People also ask

Why do we disable CSRF in Spring boot?

It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

What is the use of CSRF in Spring Security?

To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.

Is CSRF enabled by default in Spring boot?

Configure CSRF ProtectionSpring Security's CSRF protection is enabled by default, but you may need to customize the configuration.


2 Answers

What is the real-life reason to disable it?

The Spring documentation suggests:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.


Does it improve performance?

It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.

What is the reason to disable csrf in a Spring Boot application?

  1. You are using another token mechanism.
  2. You want to simplify interactions between a client and the server.
like image 183
Andrew Tobilko Avatar answered Oct 18 '22 04:10

Andrew Tobilko


Spring recommend using it when serving browser clients, if not it may be disabled:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

I will add that even if you serve browser clients, but it's used internally only you may want/able to remove it.

like image 29
user7294900 Avatar answered Oct 18 '22 04:10

user7294900