CODEWITHSUNDEEP
spring-bootnginxcsrfcsrf-protection
DanielM
DanielM

Reputation: 127

How to configure my NGINX to allow CSRF protection on my Spring Boot application

I am trying to separate my Spring Boot application from my front-end, namely my Angular 7+ application, by using an NGINX reverse proxy. My Spring Boot application is of version 2.0.3+.RELEASE and has CSRF protection enabled.

My Security configuration looks like the following:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .httpBasic().and()
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and().csrf()   
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }

My nginx.conf looks like this:

events {
  worker_connections 768;
}

http {
  # Nginx will handle gzip compression of responses from the app server
  gzip on;
  gzip_proxied any;
  gzip_types text/plain application/json;
  gzip_min_length 1000;

  server {
    listen 80;

    # Nginx will reject anything not matching /api
    location /api {
      # Reject requests with unsupported HTTP method
      if ($request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|DELETE)$) {
        return 405;
      }

      # Only requests matching the whitelist expectations will
      # get sent to the application server
      proxy_pass http://app:8080;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection 'upgrade';
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_cache_bypass $http_upgrade;
    }

    location / {
      root   /var/www/ui;
      try_files $uri $uri/ /index.html =404;
      index  index.html index.htm;
    }
  }
}

Considering the following Request Header for http://localhost/api/myResource I get a Forbidden message on POST request:

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: it,it-IT;q=0.9,en;q=0.8,it-CH;q=0.7
authorization: Basic
Connection: keep-alive
Content-Length: 94
Content-Type: application/json
Cookie: SESSION=MTdmNGFmODctMTNiMC00YzRjLWJjNTAtYmVlMTgzMzJkZTli; XSRF-TOKEN=fbe30e1e-1f64-4910-9040-799217c59b51
Host: localhost
Origin: http://localhost
Referer: http://localhost/admin/bundles
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
X-Requested-With: XMLHttpRequest

The Spring application logs the following error:

Invalid CSRF token found for http://localhost/api/myResource

Upvotes: 5

Views: 9359

Answers (1)

Prassanna S
Prassanna S

Reputation: 1

NON GET calls should pass in X-XSRF-Token in header when calling backend spring boot server to this explicity ,

@Injectable()
export class CustomInterceptor implements HttpInterceptor {

  
  constructor(private http: Http,private tokenExtractor: HttpXsrfTokenExtractor) { }


  intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {

    const headerName = 'X-XSRF-TOKEN';
    let token = this.tokenExtractor.getToken() as string;
     console.log(token)
   
  
      if (token !== null && !request.headers.has(headerName)) {
        request = request.clone({ headers: request.headers.set(headerName, token) });
      }

Upvotes: 0

Related Questions