|
@@ -97,13 +97,13 @@ Spring provides two mechanisms to protect against CSRF attacks:
|
|
|
|
|
|
|
|
[NOTE]
|
|
[NOTE]
|
|
|
====
|
|
====
|
|
|
-Both protections require that <<Safe Methods Must be Idempotent>>
|
|
|
|
|
|
|
+Both protections require that <<Safe Methods Must be Read-only>>
|
|
|
====
|
|
====
|
|
|
|
|
|
|
|
-[[csrf-protection-idempotent]]
|
|
|
|
|
-=== Safe Methods Must be Idempotent
|
|
|
|
|
|
|
+[[csrf-protection-read-only]]
|
|
|
|
|
+=== Safe Methods Must be Read-only
|
|
|
|
|
|
|
|
-In order for <<csrf-protection,either protection>> against CSRF to work, the application must ensure that https://tools.ietf.org/html/rfc7231#section-4.2.1["safe" HTTP methods are idempotent].
|
|
|
|
|
|
|
+In order for <<csrf-protection,either protection>> against CSRF to work, the application must ensure that https://tools.ietf.org/html/rfc7231#section-4.2.1["safe" HTTP methods are read-only].
|
|
|
This means that requests with the HTTP method `GET`, `HEAD`, `OPTIONS`, and `TRACE` should not change the state of the application.
|
|
This means that requests with the HTTP method `GET`, `HEAD`, `OPTIONS`, and `TRACE` should not change the state of the application.
|
|
|
|
|
|
|
|
[[csrf-protection-stp]]
|
|
[[csrf-protection-stp]]
|
|
@@ -119,7 +119,7 @@ For example, requiring the actual CSRF token in an HTTP parameter or an HTTP hea
|
|
|
Requiring the actual CSRF token in a cookie does not work because cookies are automatically included in the HTTP request by the browser.
|
|
Requiring the actual CSRF token in a cookie does not work because cookies are automatically included in the HTTP request by the browser.
|
|
|
|
|
|
|
|
We can relax the expectations to only require the actual CSRF token for each HTTP request that updates state of the application.
|
|
We can relax the expectations to only require the actual CSRF token for each HTTP request that updates state of the application.
|
|
|
-For that to work, our application must ensure that <<csrf-protection-idempotent,safe HTTP methods are idempotent>>.
|
|
|
|
|
|
|
+For that to work, our application must ensure that <<csrf-protection-read-only,safe HTTP methods are read-only>>.
|
|
|
This improves usability since we want to allow linking to our website using links from external sites.
|
|
This improves usability since we want to allow linking to our website using links from external sites.
|
|
|
Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked.
|
|
Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked.
|
|
|
|
|
|
|
@@ -190,7 +190,7 @@ Valid values for the `SameSite` attribute are:
|
|
|
|
|
|
|
|
* `Strict` - when specified any request coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] will include the cookie.
|
|
* `Strict` - when specified any request coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] will include the cookie.
|
|
|
Otherwise, the cookie will not be included in the HTTP request.
|
|
Otherwise, the cookie will not be included in the HTTP request.
|
|
|
-* `Lax` - when specified cookies will be sent when coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] or when the request comes from top-level navigations and the <<Safe Methods Must be Idempotent,method is idempotent>>.
|
|
|
|
|
|
|
+* `Lax` - when specified cookies will be sent when coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] or when the request comes from top-level navigations and the <<Safe Methods Must be Read-only,method is read-only>>.
|
|
|
Otherwise, the cookie will not be included in the HTTP request.
|
|
Otherwise, the cookie will not be included in the HTTP request.
|
|
|
|
|
|
|
|
Let's take a look at how <<csrf-explained,our example>> could be protected using the `SameSite` attribute.
|
|
Let's take a look at how <<csrf-explained,our example>> could be protected using the `SameSite` attribute.
|
Josh Cummings