Spring Boot does not require CSRF token

Question

I have a Spring Boot 1.5.12 application and CSRF protection is enabled as default. I use the CSRF token when I submit my POST request.

However, there are some URLS that needs to be fetched via a GET requests, with cookie information but does not require a CSRF token i.e.

<a href="/stuff"><i class="stuff-xs"></i><span>Stuff</span></a>

How can I force my Spring Boot application which requires a CSRF token for such requests too?

PS: I've some comments about CSRF protection not needed for GET requests. However, it should be protected for it too: https://www.acunetix.com/websitesecurity/csrf-attacks/

Answer 1

The idea of CSRF is to prevent modification of data that you don't initiated. It is supposed that GET method cannot modify data and that's why it is safe to call any GET URL without CSRF token. But if you implement some data changes on GET, then you should change your logic and move it to PUT, POST, DELETE, or PATCH methods.

Answer 2

If I understand the question correctly, you want to send a CSRF token with a GET request.

But GET or HEAD HTTP verbs don't need CSRF protection. They are auto immuned to CSRF.

CSRF mainly dupe the user into doing some activity on a malicious webpage which will then trigger a POST, PUT or DELETE verb in the original page impersonating the victim user.

The good thing is, CSRF cannot read anything due to same origin policy. It is solely based on exploiting the unsafe HTTP methods like POST, PUT and DELETE.

Therefore, GET or HEAD verbs don't need CSRF cookie.