What is the reason to disable csrf in spring boot web application?

java spring spring-boot spring-security csrf

arminvanbuuren · Sep 17, 2018 · Viewed 7.9k times · Source

There are many tutorials where is shown how to disable csrf,

csrf().disable()

(and other possibilities like .properties, .yml, etc.) but nowhere explained why they do this?

So my questions are:

What is the real-life reason to disable it?
Is it improves performance?

Answer

What is the real-life reason to disable it?

The Spring documentation suggests:

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

Does it improve performance?

It shouldn't impact the performance. A filter (or another component) will be removed from the request processing chain to make the feature unavailable.

What is the reason to disable csrf in a Spring Boot application?

You are using another token mechanism.
You want to simplify interactions between a client and the server.

What is the reason to disable csrf in spring boot web application?

Answer

Related questions