-1

Is CSRF protection really expected to be present in a REST based application?

I know it is required for web applications where JSPs are served from the server end. But I am developing a Spring Boot enabled REST service that will be consumed by Angular/Bootstrap front ends. The authentication mechanism is JWT based.

Can anybody explain what kind of CSRF attacks I can expect since I haven't use Spring's CSRF protection mechanism in backend REST services?

Abhishek Chatterjee
  • 1,962
  • 2
  • 23
  • 31

1 Answers1

0

Since a REST application is supposed to be stateless, you can't implement traditional CSRF protection (which involves storing a token on the client and the server and then matching them).

However, you can still be vulnerable to CSRF attacks if you use a mechanism to pass credentials that is automatically persisted by the browser (such as cookies or HTTP Basic Auth).

You should avoid using such methods for authentication when writing a REST service and use something else (e.g. a custom HTTP request header).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Is it still vulnerable if I use basic auth over HTTPS? – Abhishek Chatterjee May 13 '18 at 12:17
  • 1
    HTTPS has no bearing on CSRF attacks. – Quentin May 13 '18 at 12:17
  • How about JWT authentication inspite of basic? Is CSRF protection still required then? – Abhishek Chatterjee May 15 '18 at 08:25
  • Depends where you store the token. – Quentin May 15 '18 at 08:29
  • It means that, csrf attack is possible if I store the token somewhere in the Angular side where from it can be stolen. But there is no chance of csrf if I store it in a secure way in the Angular side...may be in encrypted form. – Abhishek Chatterjee May 15 '18 at 08:36
  • No. You seem to be confusing CSRF with XSS now. See the point I made in the answer about the credentials being automatically sent with any request. The form the credentials take (JWT, simple password, etc, etc, etc) doesn't matter. It is how you send them to the server that does. – Quentin May 15 '18 at 08:38
  • Thanks for clarification. But you also told "Depends where you store the token" - is it about XSS?. If it is already HTTPS enabled, the token will be encrypted anyway. Is not it sufficient? Otherwise what are the recommended way of sending the token? – Abhishek Chatterjee May 15 '18 at 09:12
  • "is it about XSS?" — No. – Quentin May 15 '18 at 09:25
  • "If it is already HTTPS enabled, the token will be encrypted anyway. Is not it sufficient?" — No. CSRF is about tricking the browser into making a request, not stealing the credentials. – Quentin May 15 '18 at 09:25
  • "Otherwise what are the recommended way of sending the token? " — See the second half of the last sentence in the answer. – Quentin May 15 '18 at 09:26