CSRF protection mechanism

1、 What is? csrf

CSRF（Cross-site request forgery）, Chinese name ： Cross-site request forgery

You can understand that CSRF attack ： The attacker stole your identity , Send malicious requests in your name .CSRF The things that can be done include ： Send email in your name , Send a message , Stealing your account , Even buying goods , Virtual currency transfer ...... Problems include ： Personal privacy disclosure and property security .

CSRF This kind of attack is 2000 It has been proposed by foreign security personnel in , But at home , until 06 It was only in ,08 year , A number of large-scale communities and interactive websites at home and abroad have emerged respectively CSRF Loophole , Such as ：NYTimes.com（ The New York times ）、Metafilter（ A large BLOG Website ）,YouTube And baidu HI...... And now , Many sites on the Internet are still defenseless , So the security industry says CSRF by “ sleeping giant ”.

2、CSRF Principle

As can be seen from the above figure , To complete once CSRF attack , The victim must complete three steps in turn ：

1. Log in to trusted sites A, And build locally Cookie.
2. Do not log out A Under the circumstances , Visit the danger website B.
3. Trigger website B Some of the elements in  

3、CSRF Our defense strategy  

Defense in the industry right now CSRF There are three main strategies to attack ： verification HTTP Referer Field ; Add... To the request address token And verify ; stay HTTP Custom properties in the header and verify .

3.1、 verification HTTP Referer Field

according to HTTP agreement , stay HTTP There is a field in the header called Referer, It records the time to HTTP The source address of the request . In general , Requests to access a security restricted page come from the same website , Request to verify its... In the background Referer value , If it is a domain name starting with its own security website , Then the request is legal . If Referer If it's another website , It could be hackers CSRF attack , Refuse the request .

3.2、 Add... To the request address token And verify

CSRF The attack was successful , Because hackers can completely fake users' requests , All user authentication information in this request exists in cookie in , So hackers can directly use users' own... Without knowing the authentication information cookie To pass security verification . Resist CSRF, The key is to put information in the request that the hacker can't forge , And the information does not exist in cookie In . Can be in HTTP Was added a request in the form of randomly generated parameter token, And build an interceptor on the server side to verify this token, If not in the request token perhaps token The content is not correct , Think it might be CSRF Attack and reject the request .

3.3、 stay HTTP Custom properties in the header and verify  

This method is also used token And verify that , Different from the previous method , It's not about token In the form of parameters HTTP In request , But put it in HTTP In the custom attribute in the header .

4、security Medium csrf Defense mechanisms

org.springframework.security.web.csrf.CsrfFilter

csrf Also known as Cross Site Request Forgery ,SpringSecurity For all post Request validation to include system generated csrf Of token Information , If not , False report . To prevent csrf The effect of the attack .(1. Generate token 2. verification token)

4.1、 Turn on csrf protective

//  close csrf protective 
// http.csrf().disable();
//  Turn on csrf protective , Define which paths do not need protection 
http.csrf().ignoringAntMatchers("/user/save");

4.2、 The page needs to add token value

<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>