Implementing CSRF Protection in Spring Boot

Table of Contents

1. Understanding CSRF Attacks
2. How CSRF Protection Works
3. CSRF Protection in Spring Security
4. CSRF in a Simple Spring Boot Application
5. Customizing CSRF Protection
6. CSRF Protection for AJAX Requests
7. Best Practices for CSRF Protection
8. Conclusion

1. Understanding CSRF Attacks

Before we implement CSRF protection, it’s essential to understand the nature of a CSRF attack. The key characteristics of a CSRF attack include:

• Victim Authentication: The user must be logged into the target application. The attack relies on the user’s valid session or authentication token (such as a cookie) to make authenticated requests to the web server.
• Malicious Request: The attacker tricks the user into submitting a request that performs some state-changing operation (e.g., changing an email address, making a purchase, or deleting data).
• Same-Origin Requests: Because browsers automatically include cookies with requests to the same domain, CSRF exploits this trust relationship.

A typical CSRF attack might involve embedding a malicious link or form in another website that submits a request to the target application, such as:

<form action="https://bank.com/transfer" method="POST">
    <input type="hidden" name="amount" value="1000" />
    <input type="hidden" name="recipient" value="attacker" />
    <input type="submit" value="Transfer Money" />
</form>

If a logged-in user visits a malicious page that contains this form, the browser will automatically send the authenticated cookies along with the request, potentially transferring funds without the user's intent or awareness.

2. How CSRF Protection Works

To mitigate CSRF attacks, Spring Security uses a token-based approach:

• CSRF Tokens: The server generates a unique CSRF token for each session or request. This token is then embedded in HTML forms or included in HTTP headers for AJAX requests.
• Token Validation: When a user submits a form or sends an AJAX request, the CSRF token is included as part of the request. The server validates the token to ensure that the request originated from the same site.

The CSRF token ensures that malicious sites or scripts cannot forge requests because they would not have access to the valid token required by the server.

3. CSRF Protection in Spring Security

Spring Security enables CSRF protection by default for web applications. However, it’s important to understand when and how this protection is applied, and when you may want to customize it.

Default CSRF Configuration

In a typical Spring Boot web application, CSRF protection is automatically enabled for state-changing requests (POST, PUT, PATCH, DELETE), but not for GET requests, since they are considered safe and idempotent.

If you have Spring Security on your classpath, it will automatically enforce CSRF protection for you. You can customize its behavior by modifying the HttpSecurity configuration in your security configuration class.

4. CSRF in a Simple Spring Boot Application

Step 1: Set Up Spring Boot Project

You’ll need the following dependencies in your pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

Step 2: Create a Simple Controller

We’ll create a simple controller with a form submission that modifies data on the server.

package com.example.csrf.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class CSRFController {

    @RequestMapping("/")
    public String home() {
        return "form";
    }

    @PostMapping("/submit")
    @ResponseBody
    public String submitForm() {
        return "Form submitted successfully!";
    }
}

Step 3: Create a Form with CSRF Token

In Spring, you can automatically generate and include the CSRF token in your HTML forms. Here’s how you can create a simple form in a form.html file:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>CSRF Protection Example</title>
</head>
<body>
    <h1>Submit the Form</h1>
    <form action="/submit" method="POST">
        <input type="hidden" name="_csrf" value="${_csrf.token}" />
        <button type="submit">Submit</button>
    </form>
</body>
</html>

5. Customizing CSRF Protection

There may be scenarios where you need to disable CSRF protection for certain endpoints or APIs. For example, APIs that are used by external clients (e.g., mobile apps or third-party services) may not require CSRF protection, as they rely on tokens such as JWT for security.

Disabling CSRF for Specific Endpoints

In your security configuration class, you can configure CSRF protection to be disabled for certain endpoints (e.g., for REST APIs):

package com.example.csrf.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf()
                .ignoringRequestMatchers("/api/**")  // Disable CSRF for API endpoints
                .and()
            .authorizeHttpRequests()
                .requestMatchers("/api/**").permitAll()
                .anyRequest().authenticated();

        return http.build();
    }
}

Disabling CSRF Globally

Although it's not recommended, you can disable CSRF protection globally for the entire application. This might be necessary for certain use cases, such as fully stateless applications using tokens (like JWT) for security. Here's how you can disable CSRF globally:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .csrf().disable()  // Disable CSRF globally
        .authorizeHttpRequests()
        .anyRequest().authenticated();

    return http.build();
}

Be cautious when disabling CSRF, as it opens your application to CSRF attacks.

6. CSRF Protection for AJAX Requests

When using JavaScript or AJAX to submit forms, you need to ensure that the CSRF token is included in the request headers. Here’s an example using jQuery:

$.ajax({
    url: '/submit',
    type: 'POST',
    headers: {
        'X-CSRF-TOKEN': $('meta[name="_csrf"]').attr('content')
    },
    data: {
        /* Your data here */
    },
    success: function(response) {
        console.log(response);
    },
    error: function(xhr, status, error) {
        console.error('Error:', error);
    }
});

In your HTML, you would include the CSRF token in a meta tag:

<meta name="_csrf" content="${_csrf.token}" />

7. Best Practices for CSRF Protection

• Enable CSRF Protection: Always enable CSRF protection for your web applications unless there is a valid reason to disable it.
• Use HTTPS: Always use HTTPS to prevent attackers from intercepting and replaying requests.
• Limit CSRF Tokens to Specific Endpoints: Configure CSRF tokens to be valid only for specific endpoints where they are needed.
• Use Same-Site Cookies: Set the

  SameSite

  attribute on your cookies to restrict when cookies are sent with requests originating from other sites.

8. Conclusion

CSRF protection is a vital security measure for any web application. By implementing CSRF tokens and following best practices, you can protect your application from malicious requests that exploit user sessions. Spring Security provides a robust framework for implementing and customizing CSRF protection, ensuring your application remains secure against this common attack vector.