Is it possible to disable CSRF checks for certain resources/endpoints?

[preslavrachev]

One of our applications uses Renarde and there are several controllers that inherit ffrom @Controller, as well as others that should serve as plain REST API endpoints. While I understand the security concerns, these endpoints really don't need this extra layer, as we really only use them internally. I even explicitly annotate endpoints with @Produces and @Consumes to indicate that we are not talking about a controller action, but a plain REST endpoint.

@Consumes("application/json")
@Produces("application/json")

However, the CSRF check would kick in everywhere and would require me to dig in for a CSRF token. Not only that, but if you add DEBUG logging you'll see this in the logs:

Request has the wrong media type: application/json

which makes no sense to me - my request is perfectly fine. It is the CSRF filter that is out of place here.

Anyway, is there a way to disable the filter for certain resources/endpoints? Also, correct me if I am wrong, but this is not the case in a vanilla Quarkus application - only if I add Renarde on top (which, I assume is because if pulls in the CSRF module dependency).

[FroMage]

You can disable CSRF token verification for non-forms with the quarkus.csrf-reactive.require-form-url-encoded=false configuration.

You can also achieve CSRF token verification using an HTTP header for those APIs.

Does this help?

[preslavrachev]

@FroMage it did help, indeed. I took some time to check if the CSRF tokens are still required where they should be (and they were), so I guess, this issue can be closed.

However, it opens up an interesting point about documenting it. I checked the entire Renarde documentation and found no mention of it, so I believe it is worth of adding it to the Security page. Should I open a PR?

[FroMage]

Yes, that'd be great, thanks :)