Spring Security, Stateless REST service and CSRF

Question

I have a REST service, built using Java, Spring-boot and using Spring Security with Basic Access Authentication. There are no Views, no JSP etc, no \'login\', just stateles

Answer 1

To answer your first question, in the context that you describe, you do not need CSRF protection. The background of CSRF protection is to ensure that the user is not tricked into doing some unwanted action.

For example, in pure theory, you could have logged into a bank's website (and thus established a session) and then went to some shady website. This site could have a form making a POST request to the bank's APIs. Because you have a session there, if the endpoint is not CSRF protected, then the request may go through.

As such, CSRF mostly acts as a protection against browser + session based attacks. If you expose a pure REST API with e.g. OAuth protection, then I don't see any reason for CSRF.

As you use spring boot, you could also disable CSRF using the application.properties / application.yaml configuration file.

security.enable-csrf=false

You can check out the Common Application Properties documentation page for more out-of-the-box configuration options.

Answer 2

If you want to disable csrf in more proper way you can call it like this(if using java configuration)

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and().httpBasic();
       .and()
            .csrf()
            .disable()