I’m looking at how to secure my website with a csrf token.
I have an Angular front-end application on which there is a login page with username and password.
On the back end I have a SpringBoot application (in kotlin but no matter).
I use Spring security for all security management.
If I’ve understood correctly with the default configuration in SpringSecurity, the first csrf token is generated using a hidden field in the connection form called _csrf
. But this field is used in an html view (a document) returned by the API. It has nothing to do with my frontend form…
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
csrf { }
}
return http.build()
}
<input type="hidden"
name="_csrf"
value="4bfd1575-3ad1-4d21-96c7-4ef2d9f86721"/>
But the problem is that I want to connect via my front-end not the html vue provided by the backend API.
So I have to introduce the CSRF token in my login request before I even have it…
What’s the solution by using SpringSecurity? I can’t find what I’m looking for in the documentation
Thank you for your help
docs.spring.io/spring-security/reference/servlet/exploits/…
unless I’m mistaken, this part describes how the token can be transmitted, not how it is created the first time.
Why downvote the question, give an explanation! It’s a legitimate question. The fact is that I dont understand something also with documentation.