I. Overview of CSRF

xss exploits user trust in websites

csrf exploits the website's trust in the user's browser

Example

Second, CSRF defense

1. Defense strategy

Through the token synchronization mode, in addition to the default cookie parameter in each http request, the server generates a random string called csrf token. After opening, the httpsession saves a copy, and the front-end request arrivesWhen comparing the requested csrf token information with the server, if they are not equal, the http request will be rejected

Considering that the website may place external links, it is required to be idempotent when requesting, so there is no need to use CSRF tokens for methods such as HEAD OPTIONS TRACE. Forcible use may lead to token leakage

2. Traditional web development configuration

@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().anyRequest().authenticated().and().formLogin().and()//Open csrf.csrf();}}

3. Front-end and back-end separation configuration

The default is that csrf is stored in the server httpsession. In front-end and back-end separation, it is necessary to put the generated csrf into the cookie and obtain the token in the cookie for submission when requesting.

Modify csrf into cookie

@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().anyRequest().authenticated().and().formLogin().and()//Open csrf.csrf()//Save the token to the cookie and allow the cookie front end to get it.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());}}

Visit the login interface to view cookies

Send request with token

The first type: request other interfaces and carry it in the request header

X-XSRF-TOKEN:value in cookie

The second type: carry in the request parameters

_csrf:value in cookie