Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the reason to disable csrf in spring boot web application?

Tags:

java

spring

spring-boot

csrf

spring-security

There are many tutorials where is shown how to disable csrf, 

csrf().disable()

(and other possibilities like .properties, .yml, etc.) but nowhere explained why they do this?

So my questions are:

What is the real-life reason to disable it?
Is it improves performance?

like image 777
arminvanbuuren Avatar asked Sep 17 '18 08:09

arminvanbuuren

People also ask

Why do we disable CSRF in Spring boot?

It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

What is the use of CSRF in Spring Security?

To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.

Is CSRF enabled by default in Spring boot?

Configure CSRF ProtectionSpring Security's CSRF protection is enabled by default, but you may need to customize the configuration.

2 Answers

What is the real-life reason to disable it?

The Spring documentation suggests:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

Does it improve performance?

It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.

What is the reason to disable csrf in a Spring Boot application?

  1. You are using another token mechanism.
  2. You want to simplify interactions between a client and the server.
like image 183
Andrew Tobilko Avatar answered Oct 18 '22 04:10

Andrew Tobilko

Spring recommend using it when serving browser clients, if not it may be disabled:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

I will add that even if you serve browser clients, but it's used internally only you may want/able to remove it.

like image 29
user7294900 Avatar answered Oct 18 '22 04:10

user7294900
Sign in to Comment

Related questions

Catch a generic exception in Java?
Iterating through a LinkedHashMap in reverse order
How to disable Gradle daemon in IntelliJ Idea?
Programmatic use of Spring Security
Implementing multiple fragments in a single activity Dynamically
Create XML file using java
Android Proguard Javascript Interface Fail
How can I generate WADL for REST services
How to inject a Mock in a Spring Context [duplicate]
Is it possible to configure logback logger levels on the command line?
resuming an activity from a notification
Android ProGuard - only obfuscation
How to write JUnit test with Spring Autowire?
How to implement the same interface multiple times, but with different generics? [duplicate]
enum implementation inside interface - Java
java.net.MalformedURLException: no protocol on URL based on a string modified with URLEncoder
Why does javac insert Objects.requireNonNull(this) for final fields?
Exception message is null?
How do I make a Java library with Eclipse?
Android Emulator: Unable to start webcam to capture picture in emulator

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!