In the world of modern web development, security is a foundational pillar. One such security threat that developers must defend against is CSRF (Cross-Site Request Forgery). In this post, weβll walk through how to effectively implement CSRF Protection in REST APIs using Spring Boot and Spring Security.
We’ll cover:
- What CSRF is
- When and why it matters for APIs
- How to configure Spring Security for CSRF-safe endpoints
π What is CSRF?
CSRF (Cross-Site Request Forgery) is an attack where a malicious website tricks a logged-in user into performing unintended actions on another website where they are authenticated.
Example attack scenario:
- User logs in to
yourapp.com. - Without logging out, the user visits
malicious.com. - A script on
malicious.comsends aPOSTrequest toyourapp.com/api/transferon behalf of the user.
If CSRF protection isnβt enabled, that malicious request could go through.
β οΈ Does CSRF Affect REST APIs?
Not always β but sometimes.
- If your REST APIs are stateless and use tokens (like JWT) in headers: CSRF is less of a concern.
- If your APIs use cookies for authentication, especially in Single Page Applications (SPAs): CSRF must be addressed.
So, if your frontend stores session cookies or uses form-based login, you need CSRF Protection in REST APIs.
𧱠Spring Boot Setup
Dependencies (pom.xml)
Make sure the following dependencies are in your pom.xml:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> |
π οΈ Implementing CSRF Protection in REST APIs
π com.kscodes.springboot.security.config.SecurityConfig.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
package com.kscodes.springboot.security.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; @Configuration public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf(csrf -> csrf .ignoringRequestMatchers("/api/public/**") // disable CSRF for public endpoints ) .authorizeHttpRequests(auth -> auth .requestMatchers("/api/public/**").permitAll() .anyRequest().authenticated() ); return http.build(); } } |
Explanation:
- CSRF is enabled by default in Spring Security.
- Weβre disabling CSRF only for specific public endpoints.
- For protected endpoints, CSRF tokens are still required.
π How CSRF Token Works in REST APIs
If you use cookies for authentication, the CSRF token must be:
- Sent from backend as part of a response (e.g., in a header or meta tag).
- Read by the frontend and included in every state-changing request (
POST,PUT,DELETE).
Example: Sending CSRF Token to Frontend
|
1 2 3 4 5 6 7 |
@GetMapping("/csrf-token") public CsrfToken csrfToken(CsrfToken token) { return token; } |
Frontend receives:
|
1 2 3 4 5 6 7 8 |
{ "headerName": "X-CSRF-TOKEN", "parameterName": "_csrf", "token": "random-csrf-value" } |
Frontend then adds it to request headers:
|
1 2 3 4 5 6 7 8 9 10 |
fetch("/api/secure/data", { method: "POST", headers: { "X-CSRF-TOKEN": "random-csrf-value" }, body: JSON.stringify({ ... }) }); |
π Real-World Strategy for CSRF Protection in REST APIs
| If using: | Then: |
|---|---|
| Cookie-based login | Enable CSRF protection and send token |
| Stateless APIs with JWT | You can disable CSRF |
| Third-party clients (mobile) | Disable CSRF (if not using session/cookie) |
β Example Controller
π com.kscodes.springboot.security.controller.UserController.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
package com.kscodes.springboot.security.controller; import org.springframework.web.bind.annotation.*; @RestController @RequestMapping("/api/secure") public class UserController { @PostMapping("/update-profile") public String updateProfile(@RequestBody String profileData) { return "Profile updated securely."; } } |
You must send a CSRF token with this POST request.
π Key Takeaways
- CSRF Protection in REST APIs is crucial if you rely on cookies.
- Spring Boot provides out-of-the-box CSRF token generation and validation.
- Use
csrfToken()endpoint to expose token to frontend. - Stateless APIs using JWT or OAuth2 typically donβt need CSRF.