spring-security csrf-protection spring-session

CSRF protection and Spring Session header session strategy

In my spring based rest API, I'm using spring-session with HeaderHttpSessionStrategy. Given cookies are not used at all (session id is sent as a header), do I still need to worry about CSRF attacks?

I would say I'm safe, and I have read people agreeing that in this scenario CSRF protection is not needed, for example: https://security.stackexchange.com/questions/62080/is-csrf-possible-if-i-dont-even-use-cookies

However, the Spring guys argue that whenever an application is accessed by a browser you do need CSRF protection: https://spring.io/blog/2015/01/12/the-login-page-angular-js-and-spring-security-part-ii.

Solution

In my oppinion, if you use the HeaderHttpSessionStrategy, CSRF attacks are not possible. If you save the header token as a cookie, it is actually the same approach as the XSRF protection works. So XSRF protection does not give you any additional protection.

Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable
Consider defining a bean of type 'org.springframework.security.authentication.AuthenticationManager' in your configuration
StackOverflowError with Unresolvable Circular Reference in AuthenticationManager Bean Definition
Spring Boot throwing 401 Unauthorized on POST request
Spring Security 6.3.3 WebFlux CORS
CORS errors using Spring Boot, Spring Security and React
Spring Boot + Security + MVC + LDAP AD + SSO
Why BCryptPasswordEncoder from Spring generate different outputs for same input?
Spring-Boot behind a network proxy
Preventing to send requests from different devices
CVE-2024-38809: Spring Framework DoS via conditional HTTP request
I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
Spring Security — 'Full authentication is required to access this resource' for a non-existing endpoint
How to block access to my API from Postman/Other API's/etc.. (Spring Boot)
SpringBoot 3 OAuth2 Resource Server missing bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder'
unsupported_grant_type error for authorization_code grant type: Spring Security OAuth2
LDAP authentication using Spring security 2.0.3
How to fix java.lang.NoClassDefFoundError for javax/xml/bind/DatatypeConverter
Upgrade to Spring Boot 3 returns 403s for all pages, causes authorization check on JSP URIs
How to use the Spring OAuth2 client to retrieve an access token only?
Get the OAuth2/OIDC access token with every request in Spring
Spring Security issue with JWT: Cannot subclass final class JwtAuthenticationProvider
What is better to use "class" or "enum" to implement roles and permissions?
Spring Security oauth2Login vs oauth2Client
How to redirect HTTP requests to HTTPS using Spring Security Java configuration?
How I can process authentication exceptions and basic HTTP500-like exceptions separetely in Spring Boot 3
I have a question about "AuthenticationFilter.class" in Spring Security
Validate JWT - Java17 Spring Security JWT:0.12.6
Spring 6 upgrade @PreAuthorize not working with ArguementResolver
Why my REST Configuration in spring-security.xml not intercepting /rest endpoints?