I am seeing that all tutorials, guides are disabling the default csrf of spring boot after enabling https(SSL)?
Don't we need default CSRF? Enabling SSL will handle the csrf?
I am confused why we disabling default csrf in spring apps?
CSRF is needed when you have web forms submissions which are prone to "cross site requests" within the same browser's other tabs. These applications typically generate entire HTML on server side using template engines (like velocity, JSF, thymeleaf etc).
Modern applications however relies mostly on REST API endpoints (instead of traditional controllers which used to emit HTML). These endpoints are designed to consume and generate mostly JSON. The intended consumer of these APIs are either mobile apps, web frameworks (like reactjs, angularjs or alike) or other b2b applications. These APIs are mostly stateless and DO NOT rely on server side sessions or browser cookies. As per CSRF explanation, one of the condition is no longer relevant (Cookie-based session handling) thus these APIs are not prone to CSRF attacks. This is the primary reason why most of the modern apps (which exposes APIs only) disable CSRF for these endpoints.
Hope it helps.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments