0

I am using Java Spring WebFlux and I want to implement CSRF security. I am curious what the best practises are nowadays, seeing so many different answers.

I'm especially interested in checking if it's possible to implement CSRF security without having an endpoint to query the token, because that comes with it's own challenges and forces another call. I am using React SPA for the frontend.

There is a login POST endpoint available. To me it looks like it would make sense to whitelist that endpoint for a CSRF token and additionally, send a CSRF token along with the response, so users have a CSRF cookie and are logged in in a single request.

This is the current code:

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    return http
        .csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
        .build();
}

Problems are:

  • Login method is not whitelisted
  • I don't see a returned cookie with a CSRF value

Does anybody has a suggestion? I see many complex answers involving filters, but I'm curious if it can be simplified.

Improve this question
1
  • this sets the cookie as httponly false, which means your front-end script is meant to read it, and then send it along as a custom header in subsequent requests. You might check here for configuring things to suit your needs: docs.spring.io/spring-security/reference/servlet/exploits/… Commented Mar 18 at 19:49
Related questions
0
Spring Webflux Security not attaching CSRF cookie after logging in via Google Oauth2
0
Can't access Spring Security /login endpoint when CSRF is enabled
0
Spring Security denies logout CSRF token
Load 3 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.