Geek Answers Handbook

Is CSRF required for a REST backend application using only JSON?

Numerous resources claim that ( source1 ) ( source2 )

For the resources provided by RESTful web services, it is important to ensure that any PUT, POST, and DELETE request is protected from Cross-Site Request Forgery .

CSRF is required for all applications with minimal concern for online security.

However, Spring Security Docs say:

use CSRF protection for any request that can be processed by the browser by ordinary users. If you are creating a service that is used by non-browsers , most likely you will want to disable CSRF protection .

So, is it possible to disable CSRF for an application that?

  • provides only REST APIs
  • consumes only JSON (checks the Content-Type header)
+6
source share
2 answers

It depends on the client of your API. CSRF attacks are based on the fact that the client automatically sends the cookies (authorization) of the requested URL using an HTTP request. If your client does not (usually browsers do this automatically), you should be fine.

Reason: if your API user is not authenticated / authorized in your application using cookies (which are automatically stored in the browser), the attacker cannot use any other web page for a successful CSRF attack (send an HTTP request from another file page cookie of your API from the browser).

In other words, I can’t imagine that you will have an API client written in such a way that it can send requests to your API, store cookies (your authentication), and also can somehow show you content that is β€œstupid” "user interacts - sends requests to your API using cookies (your authentication) from previous API requests.

+3
source

Pretty easy to explain this:

The CSRF token is created based on the Http Session . If your API is holding an http session, you really want to protect it with the CSRF token, BUT most REST services are designed to be stateless, in which case you cannot / should not / should not use the CSRF token.

+1
source

More articles:


All Articles