I am working on a java web application which should be very secure, so I applied the spring security and spring MVC with CSRF enabled on SSL server; I used POST to submit all Forms along with the generated CSRF token successfully, however some pages have GET methods and if any attacker open the source of any page from any browser he can see the generated CSRF token inside the Form tag, then he can use it to POST any content to our site as long as the session is active by the user under attack !! am I right?
What should I do make the site very secure? should I use any other open source along with spring security to cover other attacks like cross site scripting, etc.. ? and should I enforce all pages to use POST to avoid any CSRF attack?
UPDATE
I tried to do more testing by submitting a request via client tool on the same browser under same session using same token as logged in user, but it fails, the response said login failed, and header contains nosniff
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
So I think it is safe using GET in spring security to handle the csrf without afraid from some one reading the token in GET pages, unless the attacker used XSS attack to do the submission
The attacker can see his own CSRF token, but he cannot see the CSRF token of another user. Different users have different tokens, and using the wrong token should not work.
So there is nothing to be worried about here. Don't panic.