Spring Security 3: Cross Site Request Forgery(CSRF)

Posted on

What is CSRF?

A security attack where an evil website tricks you into executing an action on a web application that you are currently logged in.

CSRF Protection

  • To protect against CSRF attacks
  • Embed additional authentication data / token into all HTML forms
  • On subsequent requestes, web app will verify token before processing

    Spring Security’s CSRF Protection

  • CSRF prtection is enabled by default in Spring Security
  • Spring Security uses the Synchronizer Token Pattern
    • Each request includes a session cookie and randomly generated token
  • For request processing, Spring Security verifies token before processing
  • All of this is handled by Spring Security Filters

    Use Spring Security CSRF Protection

  • For form submissions use POST instead of GET
  • Include CSRF token in form submission
  • <form:form> automagically adds CSRF token

    Manually add CSRF token

    1
    2
    3
    4
    <form action="..." method="POST">
        <input type="hidden"
                name="${_csrf.parameterName}"
                value="${_csrf.token}"/>

Conclusion

Using SpringMVC form tage because they’ll automatically do this work