mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-01 09:42:13 +00:00
Change Idempotent to Read-Only
Closes gh-13644
This commit is contained in:
parent
11a21896dd
commit
b919ece045
@ -97,13 +97,13 @@ Spring provides two mechanisms to protect against CSRF attacks:
|
|||||||
|
|
||||||
[NOTE]
|
[NOTE]
|
||||||
====
|
====
|
||||||
Both protections require that <<Safe Methods Must be Idempotent>>
|
Both protections require that <<Safe Methods Must be Read-only>>
|
||||||
====
|
====
|
||||||
|
|
||||||
[[csrf-protection-idempotent]]
|
[[csrf-protection-read-only]]
|
||||||
=== Safe Methods Must be Idempotent
|
=== Safe Methods Must be Read-only
|
||||||
|
|
||||||
In order for <<csrf-protection,either protection>> against CSRF to work, the application must ensure that https://tools.ietf.org/html/rfc7231#section-4.2.1["safe" HTTP methods are idempotent].
|
In order for <<csrf-protection,either protection>> against CSRF to work, the application must ensure that https://tools.ietf.org/html/rfc7231#section-4.2.1["safe" HTTP methods are read-only].
|
||||||
This means that requests with the HTTP method `GET`, `HEAD`, `OPTIONS`, and `TRACE` should not change the state of the application.
|
This means that requests with the HTTP method `GET`, `HEAD`, `OPTIONS`, and `TRACE` should not change the state of the application.
|
||||||
|
|
||||||
[[csrf-protection-stp]]
|
[[csrf-protection-stp]]
|
||||||
@ -119,7 +119,7 @@ For example, requiring the actual CSRF token in an HTTP parameter or an HTTP hea
|
|||||||
Requiring the actual CSRF token in a cookie does not work because cookies are automatically included in the HTTP request by the browser.
|
Requiring the actual CSRF token in a cookie does not work because cookies are automatically included in the HTTP request by the browser.
|
||||||
|
|
||||||
We can relax the expectations to only require the actual CSRF token for each HTTP request that updates state of the application.
|
We can relax the expectations to only require the actual CSRF token for each HTTP request that updates state of the application.
|
||||||
For that to work, our application must ensure that <<csrf-protection-idempotent,safe HTTP methods are idempotent>>.
|
For that to work, our application must ensure that <<csrf-protection-read-only,safe HTTP methods are read-only>>.
|
||||||
This improves usability since we want to allow linking to our website using links from external sites.
|
This improves usability since we want to allow linking to our website using links from external sites.
|
||||||
Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked.
|
Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked.
|
||||||
|
|
||||||
@ -190,7 +190,7 @@ Valid values for the `SameSite` attribute are:
|
|||||||
|
|
||||||
* `Strict` - when specified any request coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] will include the cookie.
|
* `Strict` - when specified any request coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] will include the cookie.
|
||||||
Otherwise, the cookie will not be included in the HTTP request.
|
Otherwise, the cookie will not be included in the HTTP request.
|
||||||
* `Lax` - when specified cookies will be sent when coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] or when the request comes from top-level navigations and the <<Safe Methods Must be Idempotent,method is idempotent>>.
|
* `Lax` - when specified cookies will be sent when coming from the https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1[same-site] or when the request comes from top-level navigations and the <<Safe Methods Must be Read-only,method is read-only>>.
|
||||||
Otherwise, the cookie will not be included in the HTTP request.
|
Otherwise, the cookie will not be included in the HTTP request.
|
||||||
|
|
||||||
Let's take a look at how <<csrf-explained,our example>> could be protected using the `SameSite` attribute.
|
Let's take a look at how <<csrf-explained,our example>> could be protected using the `SameSite` attribute.
|
||||||
|
@ -17,7 +17,7 @@ In Spring Security 6, the default is that the lookup of the `CsrfToken` will be
|
|||||||
[NOTE]
|
[NOTE]
|
||||||
====
|
====
|
||||||
The `CsrfToken` is needed whenever a request is made with an HTTP verb that would change the state of the application.
|
The `CsrfToken` is needed whenever a request is made with an HTTP verb that would change the state of the application.
|
||||||
This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent].
|
This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-read-only[Safe Methods Must be Read-only].
|
||||||
Additionally, it is needed by any request that renders the token to the response, such as a web page with a `<form>` tag that includes a hidden `<input>` for the CSRF token.
|
Additionally, it is needed by any request that renders the token to the response, such as a web page with a `<form>` tag that includes a hidden `<input>` for the CSRF token.
|
||||||
====
|
====
|
||||||
|
|
||||||
|
@ -7,14 +7,14 @@ This section discusses Spring Security's xref:features/exploits/csrf.adoc#csrf[C
|
|||||||
== Using Spring Security CSRF Protection
|
== Using Spring Security CSRF Protection
|
||||||
The steps to using Spring Security's CSRF protection are outlined below:
|
The steps to using Spring Security's CSRF protection are outlined below:
|
||||||
|
|
||||||
* <<webflux-csrf-idempotent,Use proper HTTP verbs>>
|
* <<webflux-csrf-read-only,Use proper HTTP verbs>>
|
||||||
* <<webflux-csrf-configure,Configure CSRF Protection>>
|
* <<webflux-csrf-configure,Configure CSRF Protection>>
|
||||||
* <<webflux-csrf-include,Include the CSRF Token>>
|
* <<webflux-csrf-include,Include the CSRF Token>>
|
||||||
|
|
||||||
[[webflux-csrf-idempotent]]
|
[[webflux-csrf-read-only]]
|
||||||
=== Use proper HTTP verbs
|
=== Use proper HTTP verbs
|
||||||
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs.
|
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs.
|
||||||
This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent].
|
This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-read-only[Safe Methods Must be Read-only].
|
||||||
|
|
||||||
[[webflux-csrf-configure]]
|
[[webflux-csrf-configure]]
|
||||||
=== Configure CSRF Protection
|
=== Configure CSRF Protection
|
||||||
|
@ -7,14 +7,14 @@ This section discusses Spring Security's xref:features/exploits/csrf.adoc#csrf[C
|
|||||||
== Using Spring Security CSRF Protection
|
== Using Spring Security CSRF Protection
|
||||||
The steps to using Spring Security's CSRF protection are outlined below:
|
The steps to using Spring Security's CSRF protection are outlined below:
|
||||||
|
|
||||||
* <<servlet-csrf-idempotent,Use proper HTTP verbs>>
|
* <<servlet-csrf-read-only,Use proper HTTP verbs>>
|
||||||
* <<servlet-csrf-configure,Configure CSRF Protection>>
|
* <<servlet-csrf-configure,Configure CSRF Protection>>
|
||||||
* <<servlet-csrf-include,Include the CSRF Token>>
|
* <<servlet-csrf-include,Include the CSRF Token>>
|
||||||
|
|
||||||
[[servlet-csrf-idempotent]]
|
[[servlet-csrf-read-only]]
|
||||||
=== Use proper HTTP verbs
|
=== Use proper HTTP verbs
|
||||||
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs.
|
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs.
|
||||||
This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent].
|
This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-read-only[Safe Methods Must be Read-only].
|
||||||
|
|
||||||
[[servlet-csrf-configure]]
|
[[servlet-csrf-configure]]
|
||||||
=== Configure CSRF Protection
|
=== Configure CSRF Protection
|
||||||
|
Loading…
x
Reference in New Issue
Block a user