What is the reason to disable csrf in spring boot web application?
There are many tutorials where is shown how to disable csrf,
csrf().disable()
(and other possibilities like .properties, .y
-
Yes it is safe to disable if you have a diffeernt authentication mechanism which cannot be cloaked. For interal enterprise applications, not much of a concerrn. We had to disable it because it was interfering with our existing authentication mechanism.
讨论(0) -
What is the real-life reason to disable it?
The Spring documentation suggests:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Does it improve performance?
It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.
What is the reason to disable
csrfin a Spring Boot application?- You are using another token mechanism.
- You want to simplify interactions between a client and the server.
讨论(0) -
Spring recommend to use it when serving browser clients, if not it may be disabled:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
I will add that even if you server browsers clients, but it's use internally only you may want/able to remove it.
讨论(0)
加载中...
- 热议问题