CSRF Support in springdoc-openapi swagger-ui

Question

Is there a way to automatically include a CSRF header to requests made from swagger ui, when using the one bundled with springdoc-openapi?

A similar solution appears to be implemented in springfox (GitHub), but I find no information about whether this is possible to accomplish with springdoc-openapi.

You can refer to the following link https://github.com/springfox/springfox/issues/1450 I don't know if I can help you — wuchunfu, May 29 '20 at 01:49
You have provided link to Springfox issue. Question is how to implement CSRF support in Springdoc library. — Evgeniy Strepetov, May 29 '20 at 21:16

score 8 · Accepted Answer · 2020-07-11T09:44:32.863

8

CSRF token are by default supported, if you are using standard headers.(for example using spring-security headers)

If the CSRF Token is required, swagger-ui automatically sends the new XSRF-TOKEN during each HTTP REQUEST.

That said - if your XSRF-TOKEN isn't standards-based, you can use a requestInterceptor to manually capture and attach the latest xsrf token to requests programmatically via spring resource transformer:

https://github.com/swagger-api/swagger-ui/blob/master/docs/usage/configuration.md#requestinterceptor

Also, CSRF is becoming less relevant over time, as browsers add user-agent level support for controls over cross-origin request cookie inclusion.

Starting from release v1.4.4 of springdoc-openapi, a new property is added to enable CSRF support, while using standard header names:

springdoc.swagger-ui.csrf.enabled=true

edited Jul 11 '20 at 09:44

answered Jun 09 '20 at 14:43

Thank you, I will try using the requestInterceptor. I can't however get the automatic support with standard headers, here is my minimal example: https://github.com/Stjerndal/springdoc-csrf. Am I missing something there to get it working? – starman Jun 11 '20 at 08:18
1

starman, you can test with the latest snapshot of springdoc-openapi, which adds the support of CSRF out of the box: https://github.com/springdoc/springdoc-openapi/issues/776 – Jul 11 '20 at 09:45
Even if my server is configured properly to check csrf token, when I try to send a request from swagger-ui, it never sends the expected default header – Fabio O. Padilha Apr 24 '23 at 21:19

score 0 · Answer 2 · answered Aug 12 '20 at 12:54

SwaggerUI not including CSRF-TOKEN into request by default

If you are using React you can reuse the following code to include it manually:

import React from 'react';
import SwaggerUI from "swagger-ui-react"
import "swagger-ui-react/swagger-ui.css"
import Cookies from 'universal-cookie';

const cookies = new Cookies();

const DocsPage = () => (
  <SwaggerUI url="/v2/api-docs" requestInterceptor={(request) => {
    request.headers['X-XSRF-TOKEN'] = cookies.get("XSRF-TOKEN")
  }}/>
);

export default DocsPage;

CSRF Support in springdoc-openapi swagger-ui

2 Answers2