Cross-site request forgery (CSRF) is a trivial attack on a web application, which - if vulnerable to this attack - allows an attacker to perform a state-modifying operation on behalf of an authenticated, honest user. Depending on the nature of the web application and the operations an authenticated user may perform, the potential damage may be significant. For instance, a vulnerable application may allow an attacker to take over an honest user's account by changing that user's email address to his own.

A variation on CSRF is "login CSRF", which is an attack tricking an honest user to log into a vulnerable application with an account owned by the attacker. An unsuspecting user who fell victim to this attack may add valuable information, such as his address or payment information to the account, resulting in a leak of sensitive user data to the attacker.

More information on cross-site request forgery can be found at the Open Web Application Security Project: CSRF.

To reduce a CAE application's risk of vulnerability to CSRF attacks, the CAE makes use of the Spring Security CSRF protection.

The Spring Security CSRF protection for the CAE is configured in CaeWebSecurityAutoConfiguration#securityFilterChain(HttpSecurity). For customizations see Section 4.3.8, “Spring Security” and Spring Security documentation on CSRF support for Servlet Environments.

To provide CSRF protection for web forms, add this to the templates:

<#-- @ftlvariable name="_csrf" type="org.springframework.security.web.csrf.CsrfToken" -->
<form>
  <#if _csrf?has_content>
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">
  </#if>
  ...
</form>

Caution

The name of the ftlvariable for the CsrfToken in the FreeMarker templates must match the name of the configured CSRF token parameter. Changing the parameter name (using HttpSessionCsrfTokenRepository.html#setParameterName(String)) requires the name of the ftlvariable in the FreeMarker templates to be changed likewise.