CSRF (Cross-Site Request Forgery): attacker lừa browser user gửi request đến server — browser tự đính kèm cookie session.
Cơ chế: server tạo CSRF token (random, per-session) → embed vào form → state-changing request phải kèm token → server verify.
Khi TẮT CSRF (an toàn):
- Stateless REST API dùng JWT/Bearer token — không có cookie session → CSRF không applicable.
http.csrf(AbstractHttpConfigurer::disable) // stateless APIKhi BẬT (cần):
- Web app dùng session cookie (Thymeleaf, JSP, traditional MVC).
- Browser-facing form submission.
// JavaScript/fetch cần gửi token:
fetch("/api/order", {
method: "POST",
headers: { "X-CSRF-TOKEN": getCsrfToken() },
body: JSON.stringify(order)
});2026: hầu hết Spring Boot app dùng REST + JWT → tắt CSRF.
Web app truyền thống → bật (default).
CSRF (Cross-Site Request Forgery): an attacker tricks a user's browser into sending a request — the browser automatically includes the session cookie.
Mechanism: server generates a CSRF token (random, per-session) → embeds in forms → state-changing requests must include the token → server verifies.
When to DISABLE (safe):
- Stateless REST APIs using JWT/Bearer tokens — no session cookie → CSRF is not applicable.
http.csrf(AbstractHttpConfigurer::disable) // stateless APIWhen to ENABLE (required):
- Web apps using session cookies (Thymeleaf, JSP, traditional MVC).
- Browser-facing form submissions.
// JavaScript/fetch must send the token:
fetch("/api/order", {
method: "POST",
headers: { "X-CSRF-TOKEN": getCsrfToken() },
body: JSON.stringify(order)
});2026: most Spring Boot apps use REST + JWT → disable CSRF.
Traditional web apps → enable (default).