How to use Spring CSRF security feature for stateless endpoints?

Question

How to use Spring CSRF security feature for stateless endpoints?

I am using Spring Security with a stateless web service. I would like to use the CSRF features in Spring Security 3.2. Is this possible with a stateless web application?

This is the appropriate Java Config since I currently have to disable CSRF.

@Override protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .sessionFixation().none().and() .csrf().disable(); }

+8

java spring-security csrf

checketts Dec 16 '13 at 23:11

source share

1 answer

CrimsonCricket · Answer 1 · 2017-04-17T15:07:26+0000

If your service is truly stateless, CSRF protection might not make sense. As long as the server does not use cookies to identify / authenticate the user, your service is not vulnerable to CSRF attacks.

For a detailed description, see http://sitr.us/2011/08/26/cookies-are-bad-for-you.html

How to use Spring CSRF security feature for stateless endpoints?

More articles: