Reputation: 4298
Is BREACH protection necessary for SPA by Spring Security?
I have a typical web application where my backend is based on Spring Boot 3.2 having Spring Security 6.2+, and my frontend is based on Angular 13+
According to Spring CSRF configuration for SPA docs it is recommended to use XorCsrfTokenRequestAttributeHandler for BREACH protection.
So I tried to understand what BREACH attack is and how it exploits the system. The key point is:
To be vulnerable, a web application must:
- Be served from a server that uses HTTP-level compression
- Reflect user-input in HTTP response bodies
- Reflect a secret (such as a CSRF token) in HTTP response bodies
To my knowledge SPA apps read CSRF token from HTTP client side cookie (e.g. XSRF-TOKEN) and sends it to server as HTTP header (e.g. X-XSRF-TOKEN) for unsafe HTTP methods. So for SPA apps the third requirement isn't satisfied, thus they are not vulnerable to BREACH attack if we consider CSRF token as the only secret.
Is my understanding correct? If yes, then we don't need to configure CSRF for Single-Page Application like Spring docs recommended rather we can configure like below:
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
CsrfTokenRequestAttributeHandler csrfRequestHandler = new CsrfTokenRequestAttributeHandler();
// By setting the csrfRequestAttributeName to null, the CsrfToken
// must first be loaded to determine what attribute name to use.
// This causes the CsrfToken to be loaded on every request.
// SPA needs csrf token on the first request to the server.
csrfRequestHandler.setCsrfRequestAttributeName(null);
http.csrf(
crfConfigure ->
crfConfigure
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.csrfTokenRequestHandler(csrfRequestHandler));
return http.build();
}
Upvotes: 0
Views: 387
Answers (1)
Reputation: 1003
CSRF tokens of SPAs are managed via cookies and headers, simplifying the handling but requiring careful configuration to ensure security.
Recommended Configuration
Use
CookieCsrfTokenRepository: You can implementCookieCsrfTokenRepository.withHttpOnlyFalse()to store CSRF tokens. This allows your Angular app to read the token from the cookie and send it back in the header of requests needing protection.CsrfTokenHandling: ConfigureCsrfTokenRequestAttributeHandlerfor handling CSRF tokens. This handler will ensure that the token is available as a request attribute whenever needed.Security Configuration in Spring Boot: example snippets :
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf(crfConfigure ->
crfConfigure
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()))
.and()
return http.build();
}
This configuration ensures CSRF protection is active with tokens handled appropriately for an SPA, using cookies for storage and retrieval.
BREACH Attack
your SPA setup is typically not vulnerable to BREACH attacks due to not reflecting CSRF tokens in the HTTP response body, it's important to remain cautious. Ensure you do not use HTTP compression for sensitive data.
My thoughts
This setup balances security with the operational needs of a SPA, providing robust CSRF protection without introducing unnecessary complexity. Regularly review your security configuration.
References
Upvotes: 0
Related Questions
- Why is it common to put CSRF prevention tokens in cookies?
- Spring security CSRF protection and JWT based authorization
- How to disable spring security for specific url only via config?
- How to provide the CSRF Token in single page application (spring security)?
- Spring Security OAuth2 SSO with Custom provider + logout