0

In my spring based rest API, I'm using spring-session with HeaderHttpSessionStrategy. Given cookies are not used at all (session id is sent as a header), do I still need to worry about CSRF attacks?

I would say I'm safe, and I have read people agreeing that in this scenario CSRF protection is not needed, for example: https://security.stackexchange.com/questions/62080/is-csrf-possible-if-i-dont-even-use-cookies

However, the Spring guys argue that whenever an application is accessed by a browser you do need CSRF protection: https://spring.io/blog/2015/01/12/the-login-page-angular-js-and-spring-security-part-ii.

Community
  • 1
  • 1
jsc
  • 143
  • 1
  • 8

2 Answers2

1

In my oppinion, if you use the HeaderHttpSessionStrategy, CSRF attacks are not possible. If you save the header token as a cookie, it is actually the same approach as the XSRF protection works. So XSRF protection does not give you any additional protection.

Christoph
  • 46
  • 2
0

I'd stick with the Spring guys. Generally they know what they are talking about. CSRF attacks consist of malicious code running while your request is in transit, pretending that the request comes from you.

Enabling CSRF doesn't do any harm other than adding an hidden field to your form and it protects your web application against such attacks. Why not use it then?

Marco Tedone
  • 592
  • 4
  • 13