What is the reason to disable csrf in spring boot web application?

java spring spring-boot spring-security csrf
19,881

Solution 1

What is the real-life reason to disable it?

The Spring documentation suggests:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

Does it improve performance?

It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.

What is the reason to disable csrf in a Spring Boot application?

  1. You are using another token mechanism.
  2. You want to simplify interactions between a client and the server.

Solution 2

Spring recommend using it when serving browser clients, if not it may be disabled:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

I will add that even if you serve browser clients, but it's used internally only you may want/able to remove it.

Share:
19,881
arminvanbuuren
Author by

arminvanbuuren

Updated on June 06, 2022

Comments

  • arminvanbuuren
    arminvanbuuren almost 2 years

    There are many tutorials where is shown how to disable csrf, 

    csrf().disable()

    (and other possibilities like .properties, .yml, etc.) but nowhere explained why they do this?

    So my questions are:

    What is the real-life reason to disable it?
    Is it improves performance?

  • arminvanbuuren
    arminvanbuuren over 5 years
    So the essence of my question is: ** why** I may want to do this? What is the reason I'm so eager to disable it? Why cannot I just forget about it?
  • Rob Winch
    Rob Winch about 4 years
    You do not want to disable CSRF protection for internal sites. This will allow attackers to bypass firewalls since CSRF happens within your browser which is present behind any firewalls. I'd recommend reading through docs.spring.io/spring-security/site/docs/5.3.x/reference/htm‌​l5/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to add csrf token to the html form?
Spring Security: Cannot determine value type from string 'admin'
Access is Always Denied in Spring Security - DenyAllPermissionEvaluator
SpringBoot, how to Authenticate with LDAP without using ldif?
how to achieve Ldap Authentication using spring security(spring boot)
Spring security 401 Unauthorized even with permitAll
Spring Boot/ Spring Security, login form, password checking
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
How to enable CORS at Spring Security level in Spring boot
Spring Boot Security Anonymous authorization