What is the reason to disable csrf in spring boot web application?

Question

There are many tutorials where is shown how to disable csrf,

csrf().disable()

(and other possibilities like .properties, .yml, etc.) but nowhere explained why they do this?

So my questions are:

What is the real-life reason to disable it?
Is it improves performance?

someone can use another token mechanism which is not csrf to authenticate requests, such as jwt, so there wont be any use of csrf token — benjamin c, Sep 17 '18 at 08:23
In a tutorial, that might just be to make the tutorial simpler. — Raedwald, Sep 17 '18 at 08:29
@benjaminc ok, i see, but why don't just forget about csrf().disable()? are jwt and standart csrf somehow interfere or disturb each other? — arminvanbuuren, Sep 17 '18 at 08:29
@Raedwald, i think just forget about csrf().disable() is simplier ))) — arminvanbuuren, Sep 17 '18 at 08:30

Andrew Tobilko · Accepted Answer · 2018-09-17T08:39:48.627

What is the real-life reason to disable it?

The Spring documentation suggests:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

Does it improve performance?

It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.

What is the reason to disable csrf in a Spring Boot application?

You are using another token mechanism.
You want to simplify interactions between a client and the server.

score 7 · Answer 2 · edited May 14 '21 at 22:31

7

Spring recommend using it when serving browser clients, if not it may be disabled:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

I will add that even if you serve browser clients, but it's used internally only you may want/able to remove it.

edited May 14 '21 at 22:31

Godfather

27
1
6

answered Sep 17 '18 at 08:27

Ori Marko

56,308
23
131
233

2

So the essence of my question is: ** why** I may want to do this? What is the reason I'm so eager to disable it? Why cannot I just forget about it? – arminvanbuuren Sep 17 '18 at 08:42
You do not want to disable CSRF protection for internal sites. This will allow attackers to bypass firewalls since CSRF happens within your browser which is present behind any firewalls. I'd recommend reading through https://docs.spring.io/spring-security/site/docs/5.3.x/reference/html5/#csrf – Rob Winch Mar 25 '20 at 13:59

score 0 · Answer 3 · edited May 14 '21 at 17:19

0

Yes, it is safe to disable if you have a different authentication mechanism that cannot be cloaked. For internal enterprise applications, not much of a concern. We had to disable it because it was interfering with our existing authentication mechanism.

edited May 14 '21 at 17:19

Godfather

27
1
6

answered Apr 27 '20 at 18:36

vsingh

6,365
3
53
57

What is the reason to disable csrf in spring boot web application?

3 Answers3

Linked