Reputation: 3459
How can I make REST calls in Spring boot application without disabling CSRF protection in spring security?
Have a question regarding Spring security csrf protection. Whether CSRF trigger 403 status only if I make REST calls from REST clients like Postman? Does it trigger 403 status while making REST calls from our code? If yes, how to keep the csrf protection and make REST calls?
Upvotes: 1
Views: 1374
Answers (1)
Reputation: 5206
You need to include the CSRF token for all requests with one of the "protected" HTTP verbs (PATCH, POST, PUT, DELETE), regardless of where the requests originates from (Postman or Browser).
For example, the Spring documentation indicates that, if you use AJAX, it is recommended to include the CSRF token into a meta tag:
<html>
<head>
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<!-- ... -->
</head>
<!-- ... -->
Even when using postman, there are ways around it that you can use to automatize the process of extracting and including the token (and not having to manually retrieve the CSRF token each time from the Login response). You can check the following question for more details: How do I send spring csrf token from Postman rest client?
Upvotes: 1
Related Questions
- how to ignore spring security CSRF for specific URL's in spring boot project
- Spring Boot REST API - enable / disable CSRF protection by client type (browser / non-browser)?
- Error 403 on Spring Boot web API without Spring Security
- Spring Boot CSRF
- Spring security - CSRF with REST methods
- Spring Security, Stateless REST service and CSRF
- How to handle CSRF protection with Spring RESTful web services?
- Rest Services and CSRF
- CSRF and Spring Security
- Spring Security, Rest Authentication and CSRF