Video 34: Spring Security part-3

Why .csrf.disable() in JWT Project? Because: CSRF protection is mainly needed when login uses browser cookies/session. But in JWT: We send the token manually in the header, not through a browser cookie. So Spring says: "No cookie/session? Then CSRF protection is not necessary." Very Simple Example Old Login System (Session-Based) After login browser stores a cookie: JSESSIONID=123 The browser sends it automatically every time. ⚠️ A hacker can misuse this automatic behavior ➡️ Need CSRF protection JWT Login System You send the token yourself: Authorization: Bearer mytoken The browser does NOT send this automatically. ➡️ Hacker cannot easily force it ➡️ So, CSRF is usually disabled One-Line Meaning .csrf(csrf - csrf.disable()) Means: “Spring, don’t check the CSRF token because this project uses JWT token auth, not session login.” Interview Answer We disable CSRF in JWT because JWT authentication is stateless, and the token is sent in the Authorization header instead of an automatic browser cookie. 1. In the Old Session Login System After login: Server creates session ID → JSESSIONID=abc123 The browser stores it in a cookie. Then for every request: GET /profile Cookie: JSESSIONID=abc123 Important: The browser sends this cookie automatically. You do not write code for it. 2. Why This Causes CSRF Risk If the attacker tricks the user into visiting a bad website: form action="https://bank.com/transfer" method="POST" The browser automatically sends the bank cookie too. So the bank thinks: “Valid session cookie present → request is from real user.” That is CSRF. 3. In JWT System After login server gives a token: JWT = eyJhbGciOi... Now the developer chooses where to store it: Option A: localStorage Option B: Cookie Option C: Memory 4. Why localStorage Helps Against CSRF Because the browser does NOT automatically send localStorage. You manually add a token: Authorization: Bearer token The attacker’s site cannot force the browser to add your Authorization header. So, the CSRF risk is much lower. 5. Your Main Question: “Why old system not store the session in localStorage?” Because old session auth was designed around: Cookie + Session ID model Server expects: Cookie: JSESSIONID=... It was built before SPA/frontend-heavy patterns became common. Traditional browser/server apps relied on automatic cookie handling. JWT-based APIs are called stateless because the server does not store login/session data for each user