使用Spring Security保护Web应用程序免受CSRF攻击

Question

I am implementing CSRF protection in my web application.

I have used org.springframework.security.web.csrf.CookieCsrfTokenRepository class to generate the X-XSRF token. This token is being sent as cookie in every request's response.

UI component which is a single page application deployed on different server is read this cookie and read the X-XSRF token from cookie and set it as header in all subsequent requests.

Spring validates the received X-XSRF token and allow/deny the request. This works fine.

But their is a constraint this X-XSRF cookie has to be httpOnly is false so that client side JavaScript can read it.

We cannot read a cookie for which httpOnly is true .

Is there any other alternative to protect web application CSRF in an web application where X-XSRF token cookie httpOnly is true .

Using JavaScript method ( document.cookie ) I can not read the cookies for which httpOnly attribute is set to true , see:

• How to read a secure cookie using JavaScript
• Secure and HttpOnly cookies
• Cross-Site Request Forgery Prevention Cheat Sheet

I can not made the changes to make all the cookies as httpOnly is false in Websphere.

Or am I missing something where client side JavaScript can read the cookie which is httpOnly is true .

Answer 1

See Spring Security Reference :

CookieCsrfTokenRepository

There can be cases where users will want to persist the CsrfToken in a cookie. By default the CookieCsrfTokenRepository will write to a cookie named XSRF-TOKEN and read it from a header named X-XSRF-TOKEN or the HTTP parameter _csrf . These defaults come from AngularJS

You can configure CookieCsrfTokenRepository in XML using the following:

 <http> <!-- ... --> <csrf token-repository-ref="tokenRepository"/> </http> <b:bean id="tokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository" p:cookieHttpOnly="false"/> 

The sample explicitly sets cookieHttpOnly=false . This is necessary to allow JavaScript (ie AngularJS) to read it. If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omit cookieHttpOnly=false to improve security.

You can configure CookieCsrfTokenRepository in Java Configuration using:

 @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } } 

The sample explicitly sets cookieHttpOnly=false . This is necessary to allow JavaScript (ie AngularJS) to read it. If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omit cookieHttpOnly=false (by using new CookieCsrfTokenRepository() instead) to improve security.