We are developing a web API using Spring Boot that should support a React client alongside mobile apps. For the web side of things we use session management with cookies for authorization and have CSRF enabled, the mobile application will be sending authorization info using bearer tokens. Now let's say we have an endpoint for modifying user data that will be used both by the React client and the mobile app,is there a way to disable CSRF checks when the mobile application is trying to access it, since the mobile application shouldn't really be vulnerable to CSRF attacks?
CodePudding user response:
Is there a way to disable CSRF checks when the mobile application is trying to access it
Yes, you can have the mobile version use a different URL. And then you can configure the HttpSecurity bean like this.
http
.csrf()
.ignoringAntMatchers("/my-csrf-disabled-uri-for-mobile/**")
.and()
Does this solve your problem ? Tell me in the comments.