I am trying to implement CSRF using Spring and freemarker as my template.
Due the restrictions of freemarker I had to add the javascript function to make it work, just as I saw it here:
So, I added this code:
$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});
As far as I see, it is not adding anything, just some metatags with no content... and the ajaxSend I cannot be 100% sure is working, is there any way to know it is working?
I read that by default the CSRF is enabled. And I have the correct chain filters (as far as I could check).
I am using spring 3.2.8 and security 3.2.5 with freemarker 2.3.2
Is there any way to verify this?
Thanks
If you want to check that the csrf filter is preventing malicious requests, than use a tool like the Firefox-Plugin "Tamper-Data" that is able to manipulate the request before its get send. With such a tool you can delete or change the sended csrf-prevention token. -- When you change it or delete it, then the server must repsond with an error (not authorized or something like that) -- But if the server full fill the request like normal, then your CRSF protection is not working.