Protecting Web Application From CSRF Attack Using Spring Security
I am implementing CSRF protection in my web application.
I have used org.springframework.security.web.csrf.CookieCsrfTokenRepository class to generate the X-XSRF token. This token is being sent as cookie in every request's response.
UI component which is a single page application deployed on different server is read this cookie and read the X-XSRF token from cookie and set it as header in all subsequent requests.
Spring validates the received X-XSRF token and allow/deny the request. This works fine.
But their is a constraint this X-XSRF cookie has to be httpOnly is false so that client side JavaScript can read it.
We cannot read a cookie for which httpOnly is true.
Is there any other alternative to protect web application CSRF in an web application where X-XSRF token cookie httpOnly is true.
Using JavaScript method (document.cookie) I can not read the cookies for which httpOnly attribute is set to true, see:
- How to read a secure cookie using JavaScript
- Secure and HttpOnly cookies
- Cross-Site Request Forgery Prevention Cheat Sheet
I can not made the changes to make all the cookies as httpOnly is false in Websphere.
Or am I missing something where client side JavaScript can read the cookie which is httpOnly is true.
Answer
See Spring Security Reference:
CookieCsrfTokenRepository
There can be cases where users will want to persist the
CsrfTokenin a cookie. By default theCookieCsrfTokenRepositorywill write to a cookie namedXSRF-TOKENand read it from a header namedX-XSRF-TOKENor the HTTP parameter_csrf. These defaults come from AngularJSYou can configure
CookieCsrfTokenRepositoryin XML using the following:<http> <!-- ... --> <csrf token-repository-ref="tokenRepository"/> </http> <b:bean id="tokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository" p:cookieHttpOnly="false"/>The sample explicitly sets
cookieHttpOnly=false. This is necessary to allow JavaScript (i.e. AngularJS) to read it. If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omitcookieHttpOnly=falseto improve security.You can configure
CookieCsrfTokenRepositoryin Java Configuration using:@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } }The sample explicitly sets
cookieHttpOnly=false. This is necessary to allow JavaScript (i.e. AngularJS) to read it. If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omitcookieHttpOnly=false(by using newCookieCsrfTokenRepository()instead) to improve security.
Related Questions
- → How to update data attribute on Ajax complete
- → October CMS - Radio Button Ajax Click Twice in a Row Causes Content to disappear
- → Octobercms Component Unique id (Twig & Javascript)
- → Passing a JS var from AJAX response to Twig
- → Laravel {!! Form::open() !!} doesn't work within AngularJS
- → DropzoneJS & Laravel - Output form validation errors
- → Import statement and Babel
- → Uncaught TypeError: Cannot read property '__SECRET_DOM_DO_NOT_USE_OR_YOU_WILL_BE_FIRED' of undefined
- → React-router: Passing props to children
- → ListView.DataSource looping data for React Native
- → Can't test submit handler in React component
- → React + Flux - How to avoid global variable
- → Webpack, React & Babel, not rendering DOM