Spring Boot: POST and CSRF

If you get 403 forbidden messages when using POST

If you are trying to do a @PostMapping in your Spring Boot application and you are getting the error

403 - Forbidden

The problem is likely that you didn’t include this magic line in your form:

              <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />

The solution is to include that magic line in your form.

The reason has to do with preventing cross site request forgery.

The explanation

Suppose I was running a virtual online bank, and it had the following endpoint:

badbank.com/transfer?from=you&to=me&amount=1000000

The transfer endpoint allows for the transfer of an amount of money from one account to another: in the above case, you’d be giving me $1,000,000.

Obviously, you’d rather not navigate to that link on accident or else you’d find yourself in financial ruin.

So I’ll just not navigate to it then

You’d think so, but consider the scenario where you encounter the following link on your favorite website:

Click here to get $100!

If you hover the above link, you’ll notice that it actually navigates you to the malicious endpoint previously discussed. This method of attack is known in security as Cross Site Scripting (XSS).

This seems bad. How do we deal with it?

With CSRF tokens! Imagine now that along with amount, from, and to variables, the /transfer endpoint also required a token value that would be generated randomly and unpredictably on the bank’s server when the client navigates to the bank’s website.

That way every request could be validated as coming from a form that their server gave to a client, and not some shady link on another website. Now the attacker can’t embed a malicious link in their website anymore, as they won’t be able to predict/fake the tokens being generated by the server.

If you want to read more about the specifics on CSRF and XSS, you can check out the following articles on PortSwigger:

Related topics: