10 Applying CSRF protection and CORS

 

This chapter covers

  • Implementing Cross-Site Request Forgery (CSRF) protection with Spring Security.
  • Customizing CSRF protection.
  • Applying Cross-Origin Resource Sharing (CORS) configurations.

Up to now, you have learned what the filter chain is and its purpose in the Spring Security architecture. We worked on several examples in which we customized the filter chain in chapter 9. But Spring Security also adds its own filters to the chain. In this chapter, we discuss the filter which applies CSRF protection and the one related to the CORS configurations. You’ll learn to customize these filters so that the way they work is a perfect fit for your scenarios.

10.1  Applying CSRF protection in applications

You have probably observed that in most of the examples up to now, we only implemented our endpoints with HTTP GET. Moreover, when we needed to configure HTTP POST, we also had to add a supplementary instruction to the configuration to disable the Cross-Site Request Forgery (CSRF) protection. The reason why you can’t directly call an endpoint with HTTP POST is the CSRF protection, which is enabled by default in Spring Security.

10.1.1    How CSRF protection works in Spring Security

10.1.2    Using CSRF protection in practical scenarios

10.1.3    Customizing CSRF protection

10.2  Using Cross-Origin Resource Sharing (CORS)

10.2.1    How does CORS work?

10.2.2    Applying CORS policies with the @CrossOrigin annotation

10.2.3    Applying CORS using a CorsConfigurer

10.3  Summary

sitemap