avatarVinotech

Summary

The provided content explains the concepts of CORS (Cross-Origin Resource Sharing) and CSRF (Cross-Site Request Forgery) in the context of a Spring Boot application, detailing their definitions, mechanisms, and how to configure them in Spring Boot.

Abstract

CORS is a browser security feature that restricts web applications from accessing resources from different domains unless explicitly allowed by the server. In Spring Boot, CORS can be configured globally or per controller, allowing developers to specify which origins, methods, and headers are permitted, and whether credentials are allowed. CSRF, on the other hand, is an attack vector where a malicious site tricks a user's browser into performing actions on a site where the user is authenticated. Spring Security mitigates CSRF by requiring a unique token for state-changing requests, which is included in forms or headers. However, for stateless APIs, such as those using JWT tokens, CSRF protection can be disabled as it is not applicable.

Opinions

  • The article suggests that CORS is particularly important for APIs that are accessed by clients hosted on different domains.
  • It implies that proper CORS configuration is crucial for the security and functionality of web applications.
  • The text conveys that while Spring Security provides CSRF protection by default, developers should understand when it is appropriate to disable it, such as when dealing with stateless APIs.
  • The inclusion of code examples for both enabling and disabling CSRF protection indicates a preference for practical demonstrations over theoretical explanations alone.
  • The article seems to advocate for a balanced approach to security, enabling necessary protections like CORS and CSRF tokens while also acknowledging scenarios where certain protections may be safely omitted.

Understanding CORS and CSRF in Spring Boot

1. CORS (Cross-Origin Resource Sharing)

Definition:

CORS is a security feature implemented in browsers that controls how web applications access resources from a different domain. It is designed to prevent a web page from making requests to a domain other than the one that served the page. This is particularly important for APIs, where clients (like web applications) hosted on different domains may need to access your Spring Boot server.

How CORS Works:

  • When a browser makes a cross-origin request (e.g., your front-end on http://localhost:3000 making a request to your Spring Boot API running on http://localhost:8080), it sends a pre-flight request (an OPTIONS request) to the server to check if the server allows such a cross-origin request.
  • The server responds with a set of headers that indicate whether the actual request is permitted.

Configuring CORS in Spring Boot:

You can configure CORS globally or on specific controllers.

Example — Global CORS Configuration in Spring Boot:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**") // Allow CORS on all paths
            .allowedOrigins("http://localhost:3000") // Allow specific origin
            .allowedMethods("GET", "POST", "PUT", "DELETE") // Allow specific methods
            .allowedHeaders("*") // Allow all headers
            .allowCredentials(true); // Allow credentials (e.g., cookies)
    }
}

2. CSRF (Cross-Site Request Forgery)

Definition:

CSRF is a type of attack in which a malicious website tricks a user’s browser into performing an unwanted action on a different website where the user is authenticated (e.g., submitting a form, making a transaction). It exploits the trust that a website has in the user’s browser.

How CSRF Works:

  • If a user is logged into a website (e.g., a banking site), an attacker can create a malicious page that tricks the user’s browser into sending requests to that site without the user’s consent. This can result in unauthorized actions, such as money transfers or account changes.
  • CSRF protection ensures that the requests sent to the server come from a legitimate source by requiring a token (CSRF token) to be included in forms or headers.

CSRF Protection in Spring Boot:

By default, Spring Security provides CSRF protection. When CSRF protection is enabled, each form submission includes a CSRF token that is validated by the server.

  • CSRF token is a unique, secret, and unpredictable value that is generated by the server and included in HTTP requests (usually in forms or headers). The server checks this token to ensure that the request is legitimate.

Disabling CSRF:

In cases where you’re working with stateless APIs (e.g., using JWT tokens for authentication), you might want to disable CSRF since it is not relevant for stateless services.

Example — Disabling CSRF in Spring Boot:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable() // Disable CSRF protection
            .authorizeRequests()
            .anyRequest().authenticated(); // Ensure all requests are authenticated
    }
}
  • CORS: A browser-based security feature that controls cross-origin requests from web applications. It is configured using headers, and Spring Boot allows flexible configuration.
  • CSRF: A security mechanism to protect against malicious requests (like form submissions) that could trick a user into performing unwanted actions on a site they are authenticated on. Spring Security has CSRF protection enabled by default but can be disabled for stateless APIs.
Cors
Csrf
Springsecurity
Configuration
Spring Boot
Recommended from ReadMedium
avatarJava Interview
Spring Says Goodbye to @Autowired: Here’s What to Use Instead

Yes, starting with Spring Boot 3 and Spring Framework 6, Spring has been encouraging constructor-based dependency injection over field…

3 min read
avatarYassine Abidar
Write Search Queries Faster Than Ever with QBE 🚀

Hello everyone, I’m Yassine Abidar, a software engineer. In my first blog on Medium, we’ll explore the Query By Example (QBE) feature —…

3 min read
avatarGaddam.Naveen
Java 8 Streams Interview Questions You Must Know!

advanced Java 8 Streams: Grouping, Partitioning, and Custom Collectors

5 min read
avatarRahul Soni
Mastering Advanced Spring Boot (2025): A Deep Dive into Modern Development Practices

Introduction

4 min read
avatarRamesh Fadatare
Top 20 Spring Boot Best Practices for Java Developers

In this artice, I explained 20 important Spring Boot and REST API best practices for developers, each illustrated with “Avoid” and “Better”

7 min read
avatarVinod Pal
How I Review Code As a Senior Developer For Better Results

I have been doing code reviews for quite some time and have become better at it. From my experience here I have compiled a list of…

9 min read