Docs section Cross Site Request Forgery is missing any discussion on weather CSRF is recommended / required for a REST API. Suggest adding content to the section to answer the following questions.
- Is CSRF protection required for a REST API? When is it required when is it not?
- What are the implications on the client making calls for a REST end point that has CSRF?
- How to configure a RestTemplate to make calls that factor in CSRF protection?
Comment From: rwinch
Thanks for the continued feedback @asaikali!
Is CSRF protection required for a REST API? When is it required when is it not?
There is a section that describes When to use CSRF protection.
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Is there something specific that you find missing?
What are the implications on the client making calls for a REST end point that has CSRF?
Can you elaborate on this?
How to configure a RestTemplate to make calls that factor in CSRF protection?
Given the recommendation above, you would not make calls to an endpoint that requires CSRF protection.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: asaikali
The docs state
When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
This advice dose not cover a very common scenario where an application has some api end points and server side rendered pages. Providing recommendations on this common situation can help users.
Comment From: rwinch
I believe this is pretty clear. If you have interaction through a browser, then you should use CSRF protection. Can you provide where you think it needs clarification?
Comment From: goldman7911
There is a plenty of room for improvements regarding CSRF in Docs. I'll put here and also cite another thread: https://github.com/spring-projects/spring-security/issues/11607
For instance, as a 'new/noob', trying to call a simple POST JSON endpoint , I got blocked because there is needed to disable or configure CSRF. Okay that is in FAQ explicity but could be more highlighted in introductions sections.
Also, there is a lack of examples of POST JSON using CSRF - the one that is there is a JWT implementation - amazing but complex for newcomers (https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/jwt/login).
Other small point of improvements: I only got an idea on how to grab CSRF by this mention of HttpServletRequest. No examples at all.
Also, default is XSRF. I'm trying to understand how to change it to CSRF - but that can be my fault of missing some point.
https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf-include-ajax-meta-attr
I could achieve it by two ways
@GetMapping(value= "/byJakarta")
@ResponseStatus(code=HttpStatus.OK)
public String index(HttpServletRequest http){
CsrfToken token = (CsrfToken) http.getAttribute("_csrf");
//CsrfToken token = (CsrfToken) o;
return "token gerado: " + token.getToken();
}
@GetMapping(value= "/BySpring")
@ResponseStatus(code=HttpStatus.OK)
public String index(@RequestAttribute CsrfToken _csrf){
//CsrfToken token = (CsrfToken) o;
return "token gerado RequestAttribute: " + _csrf.getToken();
}
I hope Spring team can understand that as a feedback.