问题
There are many tutorials where is shown how to disable csrf,
csrf().disable()
(and other possibilities like .properties, .yml, etc.)
but nowhere explained why they do this?
So my questions are:
What is the real-life reason to disable it?
Is it improves performance?
回答1:
What is the real-life reason to disable it?
The Spring documentation suggests:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Does it improve performance?
It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.
What is the reason to disable
csrfin a Spring Boot application?
- You are using another token mechanism.
- You want to simplify interactions between a client and the server.
回答2:
Spring recommend to use it when serving browser clients, if not it may be disabled:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
I will add that even if you server browsers clients, but it's use internally only you may want/able to remove it.
回答3:
Yes it is safe to disable if you have a diffeernt authentication mechanism which cannot be cloaked. For interal enterprise applications, not much of a concerrn. We had to disable it because it was interfering with our existing authentication mechanism.
来源:https://stackoverflow.com/questions/52363487/what-is-the-reason-to-disable-csrf-in-spring-boot-web-application