Comments (3)
@ptrckkk thanks for reaching out!
If you start the application and send the following POST request via curl
curl -X POST http://localhost:8080/hello --cookie "XSRF-TOKEN=123" --header "X-XSRF-TOKEN: 123"
the backend will respond with "Hello, there" meaning the endpoint was reached and executed.
Please be aware that using curl
in this way does not simulate normal browser behavior. While you can specify arbitrary cookie and header values using curl
, browsers will prevent sending arbitrary cookie values (via a Cookie
header) in the request. Also be aware that the behavior you're referring to is specific to CookieCsrfTokenRepository
and not just the documentation example. There is not an issue with the behavior of the cookie-based implementation.
In the future, if you feel you have found a security issue, please report it responsibly. Please also spend some time reading the Cross Site Request Forgery chapter in the reference and other resources covering CSRF and web application security.
I'm going to close this issue with the above explanation, as others have noted concern over this issue while it remains unresolved.
from spring-security.
In the future, if you feel you have found a security issue, please report it responsibly.
First of all, I did not intend to report a possible security issue irresponsibly and am now aware of how to do it more responsibly in the future!
I still do not understand why everything works as expected which is why I ask further questions.
-
Also be aware that the behavior you're referring to is specific to CookieCsrfTokenRepository and not just the documentation example.
If I do not get it wrong, the documentation example uses csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse()
which I use in my example, too, see my SecurityConfig. This leads me to the conclusion that I do not understand what you mean. Could you elaborate more on that?
-
There is not an issue with the behavior of the cookie-based implementation.
I do not want to argue with that statement.
SPAs might use an API provided by a backend which does not rely on cookies. I assumed that the CSRF protection works independent of whether cookies are used or not. The documentation for this SPA section says
Configure a custom CsrfTokenRequestHandler that resolves the CSRF token based on whether it is an HTTP request header (X-XSRF-TOKEN) or request parameter (_csrf).
Thus, I would assume that it works with header parameters - and without any cookies.
These are my open questions.
Maybe the documentation could be extended how to do CSRF protection for SPAs that use an API backend not relying on cookies?
from spring-security.
I still do not understand why everything works as expected which is why I ask further questions.
I am sorry you are not understanding. However, it feels like these are questions that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it).
Maybe the documentation could be extended how to do CSRF protection for SPAs that use an API backend not relying on cookies?
I believe this request does not account for how CSRF protection works, which relies on both a storage mechanism for the expected CSRF token (session or cookie) as well as an actual (resolved) token value (HTTP header or parameter). As I mentioned above, please spend some time understanding how CSRF protection works by reviewing the documentation (linked in my earlier comment).
from spring-security.
Related Issues (20)
- Prepare for Spring Security 6.4
- Should OidcIdToken implement equals? HOT 5
- SpringOpaqueTokenIntrospector does not add scopes as granted authorities properly HOT 2
- LDIF file on official documentation breaks the startup process
- LDIF file on official documentation breaks the startup process
- Support `GrantedAuthorityDefaults` Bean in authorizeHttpRequests Kotlin DSL
- IpAddressMatcher.matches(String address) still accepts URLs HOT 2
- Deprecate `authorizeRequests` from Kotlin DSL
- Remove `authorizeRequests` from Kotlin DSL
- Assert WebSession is not null HOT 1
- Assert WebSession is not null HOT 1
- Assert WebSession is not null HOT 1
- Consider Signing Metadata by Default
- OpenSaml4AssertionValidator is not respecting clock skew settings
- Resolving invalid CSRF token values is not consistent HOT 1
- Resolving invalid CSRF token values is not consistent
- Resolving invalid CSRF token values is not consistent
- Resolving invalid CSRF token values is not consistent
- Exclude url form OAuth2 security authentication HOT 1
- Oauth2 maximumSessions did not work HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-security.