When we write about Spring security, there is usually a sentence like this:

httpSecurity.csrf().disable().
Copy the code

Disable CSRF. What is CSRF and why should you disable it?

Because there’s a good chance you’ll get an error:

HTTP Status 403-Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'x-csrF-token '.Copy the code

This is the cross – domain access problem that is very troublesome when doing Web development.

With Spring Security, CSRF is introduced, which is enabled by default. I have to say that CSRF and RESTful technologies conflict. CSRF default support method: GET | HEAD | TRACE | OPTIONS that do not support the POST.

What is CSRF? It is a WEB application security problem, CSRF (cross-site Request Forgery), also known as One Click Attack or Session Riding. Attackers access trusted sites by forging user requests.

In fact, the operation process of cross-domain attack is relatively simple, that is, if you do not take any restrictions, the user can forge the request to access the POST with high risk coefficient, and then attack and modify the server.

By forgery a POST request, for example, and then being able to delete the user’s data.

In the cross-domain (the same IP, the same network protocol, the same port, all three meet the same domain, otherwise there will be cross-domain problems). Why this cross-domain problem is not present in web-based development, but it is obvious when developing for RETS.

This is because during web development, the server will first return the sessionID to the client interface, when the client requests to the server, will have this session ID.

However, in RESTFul development, there is no way to avoid this situation because our API is exposed to different users, who may also use different IP addresses, especially if they have multiple servers deployed.

Therefore, we need to disable CSRF in our Spring security configuration.

Disable method

There are HTTP filters that you need to disable on your application.

[! [Spring-security-csrf-01](https://cdn.ossez.com/discourse-uploads/optimized/1X/ec8a61c74616ed7dbf84c336c588270ecbcafa95_ 2_690x180.png)](https://cdn.ossez.com/discourse-uploads/original/1X/ec8a61c74616ed7dbf84c336c588270ecbcafa95.png “Spring-security-csrf-01”)

This is the code you see above.

www.ossez.com/t/spring-se…