Skip to content

Auth: enable CSRF protection (SPA double-submit pattern)#51

Open
RandyJDean wants to merge 1 commit into
07-09-auth_fix_verify_page_stuck_on_spinner_under_strictmodefrom
07-09-auth_enable_csrf_protection_spa_double-submit_pattern_
Open

Auth: enable CSRF protection (SPA double-submit pattern)#51
RandyJDean wants to merge 1 commit into
07-09-auth_fix_verify_page_stuck_on_spinner_under_strictmodefrom
07-09-auth_enable_csrf_protection_spa_double-submit_pattern_

Conversation

@RandyJDean

Copy link
Copy Markdown
Contributor

CSRF was disabled on the SameSite=Lax + JSON-only rationale, but with a
JDBC-backed session cookie the token machinery is the defense-in-depth
norm (and security tooling rightly flags csrf.disable()).

  • CookieCsrfTokenRepository writes a JS-readable XSRF-TOKEN cookie on
    every response via SpaCsrfTokenRequestHandler (the Spring-documented
    SPA handler: BREACH-safe masking, raw header resolution)
  • apiFetch echoes the cookie as X-XSRF-TOKEN on state-changing requests
  • Pre-auth endpoints (request-link, verify) are exempt: their only
    credential is in the body and a first-time visitor has no CSRF
    cookie yet; logout and everything else require the token
  • SecurityWiringTest: token-less POST -> 403, logout with token -> 200

Co-Authored-By: Claude Fable 5 noreply@anthropic.com

CSRF was disabled on the SameSite=Lax + JSON-only rationale, but with a
JDBC-backed session cookie the token machinery is the defense-in-depth
norm (and security tooling rightly flags csrf.disable()).

- CookieCsrfTokenRepository writes a JS-readable XSRF-TOKEN cookie on
  every response via SpaCsrfTokenRequestHandler (the Spring-documented
  SPA handler: BREACH-safe masking, raw header resolution)
- apiFetch echoes the cookie as X-XSRF-TOKEN on state-changing requests
- Pre-auth endpoints (request-link, verify) are exempt: their only
  credential is in the body and a first-time visitor has no CSRF
  cookie yet; logout and everything else require the token
- SecurityWiringTest: token-less POST -> 403, logout with token -> 200

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
D Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

💡 Need a hand with PR review? Try Gitar by Sonar!

@RandyJDean RandyJDean marked this pull request as ready for review July 10, 2026 18:47
@RandyJDean RandyJDean requested a review from a team as a code owner July 10, 2026 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant