0

In so many tutorials I found line

  http
    .csrf().disable();

When can we just do it? I understand what this attack is about, but when we can be sure that we do not need this type of protection? For example when we create REST api, which React app will consume. It depends also on other forms of security we used? For example JWT?

gerwaz
  • 83
  • 1
  • 10
  • Similar question was answered here: https://stackoverflow.com/questions/52363487/what-is-the-reason-to-disable-csrf-in-spring-boot-web-application – Rauf Aghayev Mar 25 '20 at 08:50

1 Answers1

1

When there micro-service to micro-service call there is no need of csrf protection.CSRF is only an issue with browsers (and apps embedding a browser like a Web view in a mobile app), so there's no need to implement protection for machine to machine communication, as those use an HTTP client library and hardcoded URLs, so there's no way to make them "browse" a CSRF-vulnerable endpoint like you can with a normal browser (with an img tag for example).

As far as normal clients are concerned, even if your micro service is reachable from outside, it shouldn't be an issue as its authentication system should only allow authorised clients (other microservices, mobile app, etc) and even if a customer is tricked into accessing its API endpoints it shouldn't have the correct credentials to authenticate to it (unless your customer-facing API keys or cookies can somehow work for internal micro services, which is a bad idea and you should prevent that).

Datta Diware
  • 602
  • 1
  • 5
  • 16