There are many tutorials where is shown how to disable csrf,
csrf().disable()
(and other possibilities like .properties
, .yml
, etc.) but nowhere explained why they do this?
So my questions are:
What is the real-life reason to disable it?
Is it improves performance?
It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
Configure CSRF ProtectionSpring Security's CSRF protection is enabled by default, but you may need to customize the configuration.
What is the real-life reason to disable it?
The Spring documentation suggests:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Does it improve performance?
It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.
What is the reason to disable
csrf
in a Spring Boot application?
Spring recommend using it when serving browser clients, if not it may be disabled:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
I will add that even if you serve browser clients, but it's used internally only you may want/able to remove it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With