What is the reason to disable csrf in spring boot web application?
Solution 1
What is the real-life reason to disable it?
The Spring documentation suggests:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Does it improve performance?
It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.
What is the reason to disable
csrf
in a Spring Boot application?
- You are using another token mechanism.
- You want to simplify interactions between a client and the server.
Solution 2
Spring recommend using it when serving browser clients, if not it may be disabled:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
I will add that even if you serve browser clients, but it's used internally only you may want/able to remove it.
arminvanbuuren
Updated on June 06, 2022Comments
-
arminvanbuuren almost 2 years
There are many tutorials where is shown how to disable csrf,
csrf().disable()
(and other possibilities like
.properties
,.yml
, etc.) but nowhere explained why they do this?So my questions are:
What is the real-life reason to disable it?
Is it improves performance? -
arminvanbuuren over 5 yearsSo the essence of my question is: ** why** I may want to do this? What is the reason I'm so eager to disable it? Why cannot I just forget about it?
-
Rob Winch about 4 yearsYou do not want to disable CSRF protection for internal sites. This will allow attackers to bypass firewalls since CSRF happens within your browser which is present behind any firewalls. I'd recommend reading through docs.spring.io/spring-security/site/docs/5.3.x/reference/html5/…