CSRF和Spring Security

Question

I have been trying to get a grip on spring security and always get confused with the initial configuration. Where in few tutorial I find CSRF disabled and in few I found it enabled.

At some forum it's written as it's good to disable it and in some tutorials few people mention it's not a good practice to disable csrf.

My point is why do we need CSRF? what's the reason behind using CSRF? what if we disable it and why if we shouldn't disable it?

http.csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)

and

http.csrf().disable()
.exceptionHandling().and()
.anonymous().and()
.servletApi().and()
.headers().cacheControl().and()
.authorizeRequests()

What's the best configuration if I am using Spring Security with REST? Because in second configuration it's showing me a popup window to login. And in first configuration it's giving me

(Expected CSRF token not found. Has your session expired?)

Answer 1

If CSFR is enabled or not depends on The Spring Security version and type of configuration used.

Before Spring Security 4, when using XML configuration CSFR would be disabled and when using Java based configuration it would be enabled. As of Spring Security 4 CSFR is enabled for both XML and Java based configuration by default.

Do you need CSFR, well if you have a public facing site or API I would say yes. Every security layer you disable makes your application more vulnerable.

What CSFR is is explained on this page