#CSRF Token help with React Front end

I have a react front end, and I can register and login, but when ever I try to make a post request on one of my forms it's always 403 Forbidden. I've narrowed it down to being the CSRF token causing this issue but I don't understand why it is. I have a get route that will get me a csrf token, then on my post request I add the csrf token in the headers along with my JWT token and things just begin to fall apart, I'm pretty lost at this point, and need some explanations and a point in the right direction.

My code
https://gist.github.com/CydoEntis/ceb3ee75b56e80c9a14e0711b74e38b3

⌛ This post has been reserved for your question.

Hey @wet geyser! Please use /close or the Close Post button above when you're finished. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

CSRF tokens are typically in the post body, not the header.

Can’t remember which backend you’re using, but might wanna check where it’s expecting the token to be.

I am using spring boot for my backend.

Quickly checking online documentation, seems you have the option of sending it in the header but it’ll need to be “X-XSRF-TOKEN” which is slightly different from the one in your gist.

Can you link me this documentation? Clearly Im reading the wrong stuff

Was just the first thing I found https://www.baeldung.com/spring-security-csrf

AHh yeah i read through this and followed it, and still same the issue, so maybe my issue isn't the sending of the token but receiving it?

If our stateless API uses token-based authentication, such as JWT, we don't need CSRF protection, and we must disable it as we saw earlier.

Should I just opt not to do it? I remember you telling me that it's a good idea to add the CSRF protection as well though.

As mentioned previously, the SO answer suggested using both methods to future proof against someone changing the JWT to be transmitted via cookie instead of a header, not realizing it was also being used for CSRF protection. Which is a situation that surely isn’t a concern for you in this case? So whether you use it or not doesn’t really matter. Regardless, if Spring doesn’t support it then that’s that.

Ok, and yes I was just adding the CSRF token because I thought it should be added a long side the JWT but It isn't really required for my application.

I should however send the JWT token on every request to the backend so I can verify the user is who they say they are correct?

Yep absolutely.
As long as you’re always going to be using a JWT to validate the user on every request, you don’t have to worry about csrf.

But if you ever switch to automatic validation (such as through a cookie) then csrf attacks become possible.

I dont need it on every request though just where the user needs to be authenticated right? Basically my user can view all content of my app, but can't create, edit or delete content unless they are logged in. So for get requests the JWT isn't really needed?

What would automatic validation examples be?

A session cookie is a form of automatic validation.
It would be bad to assume that just because a user has this cookie, that the request was intentionally sent by them.

As for whether or not you need a JWT on every request. It’s certainly needed for requests that make changes to the content, since it’s acting as a csrf token as well. Although, if you’re not using the JWT to validate read access, then how are you ensuring that content is only viewed by people who should be able to view it? Or is that not relevant, such as an all public content thing?

it is all public content. you just can't add/edit/delete content unless you are authenticated.

In that case, the only need that comes to mind for authenticating users is to enforce rate limiting and attribute potential attacks to the specific individual. Up to your use case though.

Alrighty, I appreciate the help! I think i got a better understanding of all of this now 🙂

If it suits your fancy, wanna do a lad a favor and close the question and click the “Thank Justis” button that pops up? 🙏🏻
I just needed one more imaginary discord point to get that colorful rank.

yeah, i couldnt find my other question to close it, but I will close this one now 😄

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.