Skip to content

Is CSRF token require for Rest API in Spring boot

I am creating a Rest API using Spring boot on back-end and React js on frontend . I have a login form on React , should I enable csrf token on login/register form or not .

After user logs in that user will get access token which I will store in memory in React and Refresh token in http only secure cookies . Should I use CSRF token here as well .

Whenever access token expires I will send a request to refresh token route using axios interceptors after that if refresh token is valid then I will get a new pair of access and refresh token .

Frontend is running on localhost:3000 , I have configured cors on backend only allowing request from origin localhost:3000 .

Should I use CSRF token .



This is your choice:)

Spring Security provides OOTB support for the CSRF token and it’s enabled by default. We don’t need any specific steps to enable this feature, however, you can disable this feature by csrf().disable() in your Spring security config class.

We should activate the Spring security CSRF for the following use cases:

  1. If a normal user triggers the request.
  2. In case it’s processed by browser.

We can disable this in case a client other than browser or user start and process the request.

In the case of Rest API, I suggest not using it.

But Enabling CSRF is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.

CSRF is a type of malicious attack that tricks a user into sending unintended requests to modify data when only cookies are used for authentication. For example, an attacker can trick an authenticated user into clicking a link that updates their personal information without their knowledge. In such an example, an unprotected HCL Commerce site would accept this request as valid, as proper session cookies exist as part of the request.

However, when CSRF protection is enabled, a special HTTP header, called WCAuthToken, is required as part of the request. If the token is expected, its value must be equal to the authToken request attribute set by the store runtime.