Closed atulejko closed 8 years ago
There is more behind it than just default behavior of Spring security.
"While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, HTTP log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site." More information available in OWASP cheat sheet: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL
Cheers, Bartek
what is the current state here? Can this issue be closed?
I think yes, someone need to merge. -CSRF Token only for PUT, POST, DELETE -Important fix (Marek request)
The client side of the sample application should not attach the CSRF token to GET requests. Due to the default behavior of the springs org.springframework.security.web.csrf.CsrfFilter filter, the CSRF token in GET requests is not protected.
(issue moved from oasp4j - #311)