{"id":1353,"date":"2012-06-22T16:00:00","date_gmt":"2012-06-22T16:00:00","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/2012\/10\/preventing-csrf-in-java-web-apps.html"},"modified":"2012-10-22T05:29:29","modified_gmt":"2012-10-22T05:29:29","slug":"preventing-csrf-in-java-web-apps","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html","title":{"rendered":"Preventing CSRF in Java web apps"},"content":{"rendered":"
\n
Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I recommend you check out OWASPs page about it<\/a>. <\/div>\n
\n<\/div>\n
Luckily preventing CSRF attacks is quite simple, I\u2019ll try to show you how they work and how we can defend from them in the least obtrusive way possible in Java based web apps.<\/div>\n
\n<\/div>\n
Imagine you are about to perform a money transfer in your bank\u2019s secure web page, when you click on the transfer option a form page is loaded that allows you to choose the debit and credit accounts, and enter the amount of money to move. When you are satisfied with your options you press \u201csubmit\u201d and send the form information to your bank\u2019s web server, which in turns performs the transaction. <\/div>\n
\n<\/div>\n
Now add the following to the picture, a malicious website (which you think harmless of course) is open on another window\/tab of your browser while you are innocently moving all your millions in your bank\u2019s site. This evil site knows the bank\u2019s web forms structure, and as you browse through it, it tries to post transactions withdrawing money from your accounts and depositing it on the evil overlord\u2019s accounts, it can do it because you have an open and valid session with the banks site in the same browser! This is the basis for a CSRF attack. <\/div>\n
\n<\/div>\n
One simple and effective way to prevent it is to generate a random (i.e. unpredictable) string when the initial transfer form is loaded and send it to the browser. The browser then sends this piece of data along with the transfer options, and the server validates it before approving the transaction for processing. This way, malicious websites cannot post transactions even if they have access to a valid session in a browser. <\/div>\n
\n<\/div>\n
To implement this mechanism in Java I choose to use two filters, one to create the salt for each request, and another to validate it. Since the users request and subsequent POST or GETs that should be validated do not necessarily get executed in order, I decided to use a time based cache to store a list of valid salt strings. <\/div>\n
\n<\/div>\n
The first filter, used to generate a new salt for a request and store it in the cache can be coded as follows: <\/div>\n
package com.ricardozuasti.csrf;\r\n\r\nimport com.google.common.cache.Cache;\r\nimport com.google.common.cache.CacheBuilder;\r\nimport com.google.common.cache.CacheLoader;\r\nimport com.google.common.cache.LoadingCache;\r\nimport java.io.IOException;\r\nimport java.security.SecureRandom;\r\nimport java.util.concurrent.ExecutionException;\r\nimport java.util.concurrent.TimeUnit;\r\nimport javax.servlet.*;\r\nimport javax.servlet.http.HttpServletRequest;\r\nimport org.apache.commons.lang.RandomStringUtils;\r\n\r\npublic class LoadSalt implements Filter {\r\n\r\n    @Override\r\n    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)\r\n        throws IOException, ServletException {\r\n\r\n        \/\/ Assume its HTTP\r\n        HttpServletRequest httpReq = (HttpServletRequest) request;\r\n\r\n        \/\/ Check the user session for the salt cache, if none is present we create one\r\n        Cache<String, Boolean> csrfPreventionSaltCache = (Cache<String, Boolean>)\r\n            httpReq.getSession().getAttribute(\"csrfPreventionSaltCache\");\r\n\r\n        if (csrfPreventionSaltCache == null){\r\n            csrfPreventionSaltCache = CacheBuilder.newBuilder()\r\n                .maximumSize(5000)\r\n                .expireAfterWrite(20, TimeUnit.MINUTES)\r\n                .build();\r\n\r\n            httpReq.getSession().setAttribute(\"csrfPreventionSaltCache\", csrfPreventionSaltCache);\r\n        }\r\n\r\n        \/\/ Generate the salt and store it in the users cache\r\n        String salt = RandomStringUtils.random(20, 0, 0, true, true, null, new SecureRandom());\r\n        csrfPreventionSaltCache.put(salt, Boolean.TRUE);\r\n\r\n        \/\/ Add the salt to the current request so it can be used\r\n        \/\/ by the page rendered in this request\r\n        httpReq.setAttribute(\"csrfPreventionSalt\", salt);\r\n\r\n        chain.doFilter(request, response);\r\n    }\r\n\r\n    @Override\r\n    public void init(FilterConfig filterConfig) throws ServletException {\r\n    }\r\n\r\n    @Override\r\n    public void destroy() {\r\n    }\r\n}\r\n<\/pre>\n
I used Guava CacheBuilder<\/a> to create the salt cache since it has both a size limit and an expiration timeout per entry. To generate the actual salt I used Apache Commons RandomStringUtils<\/a>, powered by Java 6 SecureRandom to ensure a strong generation seed.       <\/div>\n
\n<\/div>\n
This filter should be used in all requests ending in a page that will link, post or call via AJAX a secured transaction, so in most cases it\u2019s a good idea to map it to every request (maybe with the exception of static content such as images, CSS, etc.). It\u2019s mapping in your web.xml should look similar to:       <\/div>\n
    ...\r\n    <filter>\r\n        <filter-name>loadSalt<\/filter-name>\r\n        <filter-class>com.ricardozuasti.csrf.LoadSalt<\/filter-class>\r\n    <\/filter>\r\n    ...\r\n    <filter-mapping>\r\n        <filter-name>loadSalt<\/filter-name>\r\n        <url-pattern>*<\/url-pattern>\r\n    <\/filter-mapping>\r\n    ...\r\n<\/pre>\n
As I said, to validate the salt before executing secure transactions we can write another filter:       
 
<\/div> <\/div><\/p>\n
package com.ricardozuasti.csrf;\r\n\r\nimport com.google.common.cache.Cache;\r\nimport java.io.IOException;\r\nimport javax.servlet.*;\r\nimport javax.servlet.http.HttpServletRequest;\r\n\r\npublic class ValidateSalt implements Filter  {\r\n\r\n    @Override\r\n    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)\r\n        throws IOException, ServletException {\r\n\r\n        \/\/ Assume its HTTP\r\n        HttpServletRequest httpReq = (HttpServletRequest) request;\r\n\r\n        \/\/ Get the salt sent with the request\r\n        String salt = (String) httpReq.getParameter(\"csrfPreventionSalt\");\r\n\r\n        \/\/ Validate that the salt is in the cache\r\n        Cache<String, Boolean> csrfPreventionSaltCache = (Cache<String, Boolean>)\r\n            httpReq.getSession().getAttribute(\"csrfPreventionSaltCache\");\r\n\r\n        if (csrfPreventionSaltCache != null &&\r\n                salt != null &&\r\n                csrfPreventionSaltCache.getIfPresent(salt) != null){\r\n\r\n            \/\/ If the salt is in the cache, we move on\r\n            chain.doFilter(request, response);\r\n        } else {\r\n            \/\/ Otherwise we throw an exception aborting the request flow\r\n            throw new ServletException(\"Potential CSRF detected!! Inform a scary sysadmin ASAP.\");\r\n        }\r\n    }\r\n\r\n    @Override\r\n    public void init(FilterConfig filterConfig) throws ServletException {\r\n    }\r\n\r\n    @Override\r\n    public void destroy() {\r\n    }\r\n}\r\n<\/pre>\n
You should configure this filter for every request that needs to be secure (i.e. retrieves or modifies sensitive information, move money, etc.), for example:       <\/div>\n
    ...\r\n    <filter>\r\n        <filter-name>validateSalt<\/filter-name>\r\n        <filter-class>com.ricardozuasti.csrf.ValidateSalt<\/filter-class>\r\n    <\/filter>\r\n    ...\r\n    <filter-mapping>\r\n        <filter-name>validateSalt<\/filter-name>\r\n        <url-pattern>\/transferMoneyServlet<\/url-pattern>\r\n    <\/filter-mapping>\r\n    ...\r\n<\/pre>\n
After configuring both servlets all your secured requests should fail :). To fix it you have to add, to each link and form post that ends in a secure URL, the csrfPreventionSalt<\/i> parameter containing the value of the request parameter with the same name. For example, in an HTML form within a JSP page:       <\/div>\n
...\r\n<form action=\"\/transferMoneyServlet\" method=\"get\">\r\n    <input type=\"hidden\" name=\"csrfPreventionSalt\" value=\"<c:out value='${csrfPreventionSalt}'\/>\"\/>\r\n    ...\r\n<\/form>\r\n...\r\n<\/pre>\n
Of course you can write a custom tag, a nice Javascript code or whatever you prefer to inject the new parameter in every needed link\/form.  <\/p>\n
Reference: <\/i><\/strong>Preventing CSRF in Java web apps <\/a> from our JCG partner<\/a> Ricardo Zuasti at the Ricardo Zuasti’s blog<\/a> blog.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I recommend you check out OWASPs page about it. Luckily preventing CSRF attacks is quite simple, I\u2019ll try to show you how they work and how we can defend from …<\/p>\n","protected":false},"author":241,"featured_media":213,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[527,297],"class_list":["post-1353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-owasp-csrf","tag-security"],"yoast_head":"\nPreventing CSRF in Java web apps - Java Code Geeks<\/title>\n<meta name=\"description\" content=\"Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Preventing CSRF in Java web apps - Java Code Geeks\" \/>\n<meta property=\"og:description\" content=\"Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2012-06-22T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2012-10-22T05:29:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/owasp-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ricardo Zuasti\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ricardo Zuasti\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html\"},\"author\":{\"name\":\"Ricardo Zuasti\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/d50fab50437c2bf5c06fbd1e7a9a73a7\"},\"headline\":\"Preventing CSRF in Java web apps\",\"datePublished\":\"2012-06-22T16:00:00+00:00\",\"dateModified\":\"2012-10-22T05:29:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html\"},\"wordCount\":648,\"commentCount\":5,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/owasp-logo.jpg\",\"keywords\":[\"OWASP CSRF\",\"Security\"],\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html\",\"name\":\"Preventing CSRF in Java web apps - Java Code Geeks\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/owasp-logo.jpg\",\"datePublished\":\"2012-06-22T16:00:00+00:00\",\"dateModified\":\"2012-10-22T05:29:29+00:00\",\"description\":\"Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/owasp-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/owasp-logo.jpg\",\"width\":150,\"height\":150},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/06\\\/preventing-csrf-in-java-web-apps.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Preventing CSRF in Java web apps\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/d50fab50437c2bf5c06fbd1e7a9a73a7\",\"name\":\"Ricardo Zuasti\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/45711d9f0d1404468a50969959af0c5bbd3bd409d251421121cc6743115b696c?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/45711d9f0d1404468a50969959af0c5bbd3bd409d251421121cc6743115b696c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/45711d9f0d1404468a50969959af0c5bbd3bd409d251421121cc6743115b696c?s=96&d=mm&r=g\",\"caption\":\"Ricardo Zuasti\"},\"sameAs\":[\"http:\\\/\\\/ricardozuasti.com\"],\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/Ricardo-Zuasti\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Preventing CSRF in Java web apps - Java Code Geeks","description":"Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html","og_locale":"en_US","og_type":"article","og_title":"Preventing CSRF in Java web apps - Java Code Geeks","og_description":"Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I","og_url":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2012-06-22T16:00:00+00:00","article_modified_time":"2012-10-22T05:29:29+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/owasp-logo.jpg","type":"image\/jpeg"}],"author":"Ricardo Zuasti","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Ricardo Zuasti","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html"},"author":{"name":"Ricardo Zuasti","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/d50fab50437c2bf5c06fbd1e7a9a73a7"},"headline":"Preventing CSRF in Java web apps","datePublished":"2012-06-22T16:00:00+00:00","dateModified":"2012-10-22T05:29:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html"},"wordCount":648,"commentCount":5,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/owasp-logo.jpg","keywords":["OWASP CSRF","Security"],"articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html","url":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html","name":"Preventing CSRF in Java web apps - Java Code Geeks","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/owasp-logo.jpg","datePublished":"2012-06-22T16:00:00+00:00","dateModified":"2012-10-22T05:29:29+00:00","description":"Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/owasp-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/owasp-logo.jpg","width":150,"height":150},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/2012\/06\/preventing-csrf-in-java-web-apps.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"Preventing CSRF in Java web apps"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/d50fab50437c2bf5c06fbd1e7a9a73a7","name":"Ricardo Zuasti","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/45711d9f0d1404468a50969959af0c5bbd3bd409d251421121cc6743115b696c?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/45711d9f0d1404468a50969959af0c5bbd3bd409d251421121cc6743115b696c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/45711d9f0d1404468a50969959af0c5bbd3bd409d251421121cc6743115b696c?s=96&d=mm&r=g","caption":"Ricardo Zuasti"},"sameAs":["http:\/\/ricardozuasti.com"],"url":"https:\/\/www.javacodegeeks.com\/author\/Ricardo-Zuasti"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/1353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/241"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=1353"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/1353\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/213"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=1353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=1353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=1353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}