This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.1! |
Exploit Protection Migrations
The 5.8 migration guide contains several steps for exploit protection migrations when updating to 6.0. You are encouraged to follow those steps first.
The following steps relate to how to finish migrating exploit protection support.
Defer Loading CsrfToken
In Spring Security 5.8, the default CsrfTokenRequestHandler
for making the CsrfToken
available to the application is CsrfTokenRequestAttributeHandler
.
The default for the field csrfRequestAttributeName
is null
, which causes the CSRF token to be loaded on every request.
In Spring Security 6, csrfRequestAttributeName
defaults to _csrf
.
If you configured the following only for the purpose of updating to 6.0, you can now remove it:
requestHandler.setCsrfRequestAttributeName("_csrf");
Protect against CSRF BREACH
In Spring Security 5.8, the default CsrfTokenRequestHandler
for making the CsrfToken
available to the application is CsrfTokenRequestAttributeHandler
.
XorCsrfTokenRequestAttributeHandler
was added to allow opting into CSRF BREACH support.
In Spring Security 6, XorCsrfTokenRequestAttributeHandler
is the default CsrfTokenRequestHandler
for making the CsrfToken
available.
If you configured the XorCsrfTokenRequestAttributeHandler
only for the purpose of updating to 6.0, you can remove it completely.
If you have set the |
CSRF BREACH with WebSocket support
In Spring Security 5.8, the default ChannelInterceptor
for making the CsrfToken
available with WebSocket Security is CsrfChannelInterceptor
.
XorCsrfChannelInterceptor
was added to allow opting into CSRF BREACH support.
In Spring Security 6, XorCsrfChannelInterceptor
is the default ChannelInterceptor
for making the CsrfToken
available.
If you configured the XorCsrfChannelInterceptor
only for the purpose of updating to 6.0, you can remove it completely.