Angular2 and Spring — fighting CSRF in the wild.
David Herges

Hi David, Thank you for this article.

In our case our Spring app works like an API which responds to incoming REST calls, from a different Angular App, with JSON. For every call the basic authentication id/password needs to be passed. If the HTTP call does not have id/password, the call is rejected. In such a case can CSRF attack happen? Because even if browser session is hijacked, the malicious JS still needs to send the ID/password.

If still there is a possibility of CSRF attack, if I implement the solution of Cookie, are those cookies specific to a session. Does SessionID also needs to be send along with CSRF cookie from Spring to Angular during first call

Show your support

Clapping shows how much you appreciated India Utube’s story.