-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSpringCSRFProtection.qhelp
More file actions
38 lines (33 loc) · 1.38 KB
/
SpringCSRFProtection.qhelp
File metadata and controls
38 lines (33 loc) · 1.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
<qhelp>
<overview>
<p>When you set up a web server to receive a request from a client without any mechanism
for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
trick a client into making an unintended request to the web server that will be treated as
an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
result in exposure of data or unintended code execution.</p>
</overview>
<recommendation>
<p>When you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
is to use CSRF protection for any request that could be processed by a browser client by normal
users.</p>
</recommendation>
<example>
<p>The following example shows the Spring Java configuration with CSRF protection disabled.
This type of configuration should only be used if you are creating a service that is used only
by non-browser clients.</p>
<sample src="SpringCSRFProtection.java" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
</li>
<li>
Spring Security Reference:
<a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf">
Cross Site Request Forgery (CSRF) for Servlet Environments
</a>.
</li>
</references>
</qhelp>