This chapter covers
- Understanding CSRF attacks
- Implementing CSRF protection
- Customizing CSRF protection
You have learned about the filter chain and its purpose in the Spring Security architecture. We worked on several examples in chapter 5, where we customized the filter chain. But Spring Security also adds its own filters to the chain. This chapter discusses the filter that configures CSRF (cross-site request forgery) protection. You’ll learn to customize the filters to make a perfect fit for your scenarios.
You have probably observed that in most of the examples up to now, we only implemented our endpoints with HTTP GET. Moreover, when we needed to configure HTTP POST, we also had to add a supplementary instruction to the configuration to disable CSRF protection. The reason why you can’t call an endpoint with HTTP POST directly is because of CSRF protection, which is enabled by default in Spring Security.
We’ll now discuss CSRF protection and when to use it in your applications. CSRF is a widespread type of attack, and vulnerable applications can force users to execute unwanted actions on a web application following authentication. You don’t want the applications you develop to be CSRF vulnerable and allow attackers to trick your users into executing unwanted actions.