Is CSRF mandatory for a backend REST application consuming JSON only?

Question

Numerous resources claim that (source1) (source2)

For resources exposed by RESTful web services, it's important to make sure any PUT, POST, and DELETE request is protected from Cross Site Request Forgery.

CSRF is mandatory for all applications with a minimum of concern about web security

However the Spring Security docs say:

use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

So, is it ok to disable CSRF for an application that?

• only exposes a REST API
• only consumes JSON (checks the requests Content-Type header)

Answer 1

Pretty easy to explain this:

A CSRF token is generated based on Http Session. If your API is holding the http session, you properly wanna to secure it with CSRF token, BUT most REST services are designed to be stateless, in that case you cannot/shouldn't/wouldn't use a CSRF token.

Answer 2

It depends on the client of your API. CSRF attacks are based on the fact that client automatically sends cookies (authorization) of requested URL with the HTTP request. If your client is not doing that (typically browsers do that automatically), you should be OK.

The reason why is: If your API consumer is not authenticated/authorized in your application via cookies (that are automatically stored by the browser), attacker cannot use any other web page to do successful CSRF attack (send HTTP request from other page with cookies of your API from browser).

In other words, I can't imagine that you will have API client written in a way that it can send requests to your API, store cookies (your authentication) and also can somehow show you some content that "silly" user interacts - sends requests to your API with cookies (your authentication) from previous API requests.