Is CSRF protection really expected to be present in a REST based application?
I know it is required for web applications where JSPs are served from the server end. But I am developing a Spring Boot enabled REST service that will be consumed by Angular/Bootstrap front ends. The authentication mechanism is JWT based.
Can anybody explain what kind of CSRF attacks I can expect since I haven't use Spring's CSRF protection mechanism in backend REST services?
Since a REST application is supposed to be stateless, you can't implement traditional CSRF protection (which involves storing a token on the client and the server and then matching them).
However, you can still be vulnerable to CSRF attacks if you use a mechanism to pass credentials that is automatically persisted by the browser (such as cookies or HTTP Basic Auth).
You should avoid using such methods for authentication when writing a REST service and use something else (e.g. a custom HTTP request header).