Thanks many times over, actually one thing from here that helped me a lot was enabling spring security's logging in the intellij console, i had no idea there was such logging, i just assumed everything in there was all there was, though in retrospect it seems obvious. great to now be able to see everything, really nice vid bruh liked n subbed
Amazing video! ⭐ Thank you for the explanation. Keep posting videos you are doing a great job! 🏆 I would like to see more about Spring security and especially the hacker/dev personas (those were quite awesome and got my full attention).
11:14 how can a post request be a top-level request ? I thought top-level requests are the one that are made from the search bar but it's not the case for post request, is it ?
Hey, Roronoa_D_Law! Great point! When I was referring to 'top navigation POST requests,' I was talking about POST requests that lead to a new page, such as what happens when you submit a form. This kind of POST request can indeed be considered a top-level navigation. You're correct that top-level navigation usually refers to changing the entire page, and this can occur in different ways, such as typing a URL into the address bar or clicking a link. However, it can also happen through a form submission, which typically involves a POST request. So while not all POST requests result in top-level navigation, those that do lead to a new page fall under this category. E.g. in our example, Spring app has a login form on the page "localhost:8080/login". When entering credentials it did redirect to "localhost:8080". This would be considered a top-level navigation POST request.
The direct answer to your question is that it's 'most likely not possible'. But it depends on the authentication mechanism you're using. When most SPAs use JWT tokens, they need to be manually included in the header (typically as "Authorization: Bearer xxxx"). This method makes a CSRF attack less likely because it doesn't rely on the browser automatically sending a cookie header with a session id. However, there are two important considerations: - Ensure that the JWT token isn't stored in a cookie. - Ensure the app doesn't fall back to cookie-based authentication. These are, of course, based on my assumptions. If your app is using a session id stored in a cookie, as shown in my video, then yes, you'll need to protect against CSRF attacks.
Such a great video!
Your videos are excellent, including the spring security as well. Please keep posting more videos like this in the future, as well.
Thanks for the video my friend. I was using csrf token, but knowing that there is another way (same-site) is great to know. Keep on going :)
Excellent explanation mate
It was great thank you, please keep posting ❤
It was great thank you, please keep posting
Thank you!
Thanks many times over, actually one thing from here that helped me a lot was enabling spring security's logging in the intellij console, i had no idea there was such logging, i just assumed everything in there was all there was, though in retrospect it seems obvious. great to now be able to see everything, really nice vid bruh liked n subbed
Very super way of telling
I need these type teaching
Thank you!
sergey, you're such a goat
Amazing video! ⭐
Thank you for the explanation. Keep posting videos you are doing a great job! 🏆
I would like to see more about Spring security and especially the hacker/dev personas (those were quite awesome and got my full attention).
Great hoodie!
Haha, thanks 😂
Hard topic 🤯
excellent
Thank you, Shankar 😊
like for the good explanation!!!
11:14 how can a post request be a top-level request ? I thought top-level requests are the one that are made from the search bar but it's not the case for post request, is it ?
Hey, Roronoa_D_Law! Great point!
When I was referring to 'top navigation POST requests,' I was talking about POST requests that lead to a new page, such as what happens when you submit a form. This kind of POST request can indeed be considered a top-level navigation. You're correct that top-level navigation usually refers to changing the entire page, and this can occur in different ways, such as typing a URL into the address bar or clicking a link. However, it can also happen through a form submission, which typically involves a POST request. So while not all POST requests result in top-level navigation, those that do lead to a new page fall under this category.
E.g. in our example, Spring app has a login form on the page "localhost:8080/login". When entering credentials it did redirect to "localhost:8080". This would be considered a top-level navigation POST request.
@@sergey_tech oh I see, thanks for the clarification :)
Is attack possible in case of SPA? If post request is made by JS code on a web page?
The direct answer to your question is that it's 'most likely not possible'. But it depends on the authentication mechanism you're using. When most SPAs use JWT tokens, they need to be manually included in the header (typically as "Authorization: Bearer xxxx"). This method makes a CSRF attack less likely because it doesn't rely on the browser automatically sending a cookie header with a session id.
However, there are two important considerations:
- Ensure that the JWT token isn't stored in a cookie.
- Ensure the app doesn't fall back to cookie-based authentication.
These are, of course, based on my assumptions. If your app is using a session id stored in a cookie, as shown in my video, then yes, you'll need to protect against CSRF attacks.
how to protect from it...please make a video on it.....please sir....