10 Applying CSRF protection and CORS

 

This chapter covers

  • Implementing cross-site request forgery protection

  • Customizing CSRF protection

  • Applying cross-origin resource sharing configurations

You have learned about the filter chain and its purpose in the Spring Security architecture. We worked on several examples in chapter 9, where we customized the filter chain. But Spring Security also adds its own filters to the chain. In this chapter, we’ll discuss the filter that applies CSRF protection and the one related to CORS configurations. You’ll learn to customize these filters to make a perfect fit for your scenarios.

10.1 Applying cross-site request forgery (CSRF) protection in applications

You have probably observed that in most of the examples up to now, we only implemented our endpoints with HTTP GET. Moreover, when we needed to configure HTTP POST, we also had to add a supplementary instruction to the configuration to disable CSRF protection. The reason why you can’t directly call an endpoint with HTTP POST is because of CSRF protection, which is enabled by default in Spring Security.

In this section, we discuss CSRF protection and when to use it in your applications. CSRF is a widespread type of attack, and applications vulnerable to CSRF can force users to execute unwanted actions on a web application after authentication. You don’t want the applications you develop to be CSRF vulnerable and allow attackers to trick your users into making unwanted actions.

10.1.1 How CSRF protection works in Spring Security

10.1.2 Using CSRF protection in practical scenarios

10.1.3 Customizing CSRF protection

10.2 Using cross-origin resource sharing

10.2.1 How does CORS work?

10.2.2 Applying CORS policies with the @CrossOrigin annotation

10.2.3 Applying CORS using a CorsConfigurer

Summary

sitemap