Removal of CSRF token from GET requests

[atulejko]

The client side of the sample application should not attach the CSRF token to GET requests. Due to the default behavior of the springs org.springframework.security.web.csrf.CsrfFilter filter, the CSRF token in GET requests is not protected.

(issue moved from oasp4j - #311)

[dumbNickname]

There is more behind it than just default behavior of Spring security.

"While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, HTTP log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site." More information available in OWASP cheat sheet: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL

Cheers, Bartek

[maybeec]

what is the current state here? Can this issue be closed?

[tomaszwawrzyniakit]

I think yes, someone need to merge. -CSRF Token only for PUT, POST, DELETE -Important fix (Marek request)