Please note: although I mentioned Spring/Java here, I believe this is a pure CSRF/websec question at heart, and can be answered by anybody with CSRF/websec experience, regardless of their familiarity with Java or Spring!
---
Spring Boot & Spring Security here. The Spring docs state:
Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
I'm interested in why? Why is it OK to disable CSRF protection when building a service whose only clients are non-browsers, but it should be enabled when the service talks to browser clients?
http://dlvr.it/Rzwlml
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment