spring-security/docs/modules/ROOT/pages/migration/servlet/exploits.adoc

= Exploit Protection Migrations
:spring-security-reference-base-url: https://docs.spring.io/spring-security/reference

The 5.8 migration guide contains several steps for
ifdef::spring-security-version[]
{spring-security-reference-base-url}/5.8/migration/servlet/exploits.html[exploit protection migrations] when updating to 6.0.
endif::[]
ifndef::spring-security-version[]
exploit protection migrations when updating to 6.0.
endif::[]
You are encouraged to follow those steps first.

The following steps relate to how to finish migrating exploit protection support.

== Defer Loading CsrfToken

In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
The default for the field `csrfRequestAttributeName` is `null`, which causes the CSRF token to be loaded on every request.

In Spring Security 6, `csrfRequestAttributeName` defaults to `_csrf`.
If you configured the following only for the purpose of updating to 6.0, you can now remove it:

    requestHandler.setCsrfRequestAttributeName("_csrf");

== Protect against CSRF BREACH

In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
`XorCsrfTokenRequestAttributeHandler` was added to allow opting into CSRF BREACH support.

In Spring Security 6, `XorCsrfTokenRequestAttributeHandler` is the default `CsrfTokenRequestHandler` for making the `CsrfToken` available.
If you configured the `XorCsrfTokenRequestAttributeHandler` only for the purpose of updating to 6.0, you can remove it completely.

[NOTE]
====
If you have set the `csrfRequestAttributeName` to `null` in order to opt out of deferred tokens, or if you have configured a `CsrfTokenRequestHandler` for any other reason, you can leave the configuration in place.
====

== CSRF BREACH with WebSocket support

In Spring Security 5.8, the default `ChannelInterceptor` for making the `CsrfToken` available with xref:servlet/integrations/websocket.adoc[WebSocket Security] is `CsrfChannelInterceptor`.
`XorCsrfChannelInterceptor` was added to allow opting into CSRF BREACH support.

In Spring Security 6, `XorCsrfChannelInterceptor` is the default `ChannelInterceptor` for making the `CsrfToken` available.
If you configured the `XorCsrfChannelInterceptor` only for the purpose of updating to 6.0, you can remove it completely.
Add section for migrating WebSocket support Issue gh-12378 2023-01-27 05:34:50 +08:00			`= Exploit Protection Migrations`
Fix hard-coded link in remote build Issue gh-13156 2023-05-13 04:43:14 +08:00			`:spring-security-reference-base-url: https://docs.spring.io/spring-security/reference`
Add section for migrating WebSocket support Issue gh-12378 2023-01-27 05:34:50 +08:00
Add sections for migrating exploit protection in 6.0 Issue gh-12462 2023-02-16 05:25:43 +08:00			`The 5.8 migration guide contains several steps for`
			`ifdef::spring-security-version[]`
Fix hard-coded link in remote build Issue gh-13156 2023-05-13 04:43:14 +08:00			`{spring-security-reference-base-url}/5.8/migration/servlet/exploits.html[exploit protection migrations] when updating to 6.0.`
Add sections for migrating exploit protection in 6.0 Issue gh-12462 2023-02-16 05:25:43 +08:00			`endif::[]`
			`ifndef::spring-security-version[]`
			`exploit protection migrations when updating to 6.0.`
			`endif::[]`
			`You are encouraged to follow those steps first.`

Add section for migrating WebSocket support Issue gh-12378 2023-01-27 05:34:50 +08:00			`The following steps relate to how to finish migrating exploit protection support.`

Add sections for migrating exploit protection in 6.0 Issue gh-12462 2023-02-16 05:25:43 +08:00			`== Defer Loading CsrfToken`

			In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
			The default for the field `csrfRequestAttributeName` is `null`, which causes the CSRF token to be loaded on every request.

			In Spring Security 6, `csrfRequestAttributeName` defaults to `_csrf`.
			`If you configured the following only for the purpose of updating to 6.0, you can now remove it:`

			`requestHandler.setCsrfRequestAttributeName("_csrf");`

			`== Protect against CSRF BREACH`

			In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
			`XorCsrfTokenRequestAttributeHandler` was added to allow opting into CSRF BREACH support.

			In Spring Security 6, `XorCsrfTokenRequestAttributeHandler` is the default `CsrfTokenRequestHandler` for making the `CsrfToken` available.
			If you configured the `XorCsrfTokenRequestAttributeHandler` only for the purpose of updating to 6.0, you can remove it completely.

			`[NOTE]`
			`====`
			If you have set the `csrfRequestAttributeName` to `null` in order to opt out of deferred tokens, or if you have configured a `CsrfTokenRequestHandler` for any other reason, you can leave the configuration in place.
			`====`

Add section for migrating WebSocket support Issue gh-12378 2023-01-27 05:34:50 +08:00			`== CSRF BREACH with WebSocket support`

			In Spring Security 5.8, the default `ChannelInterceptor` for making the `CsrfToken` available with xref:servlet/integrations/websocket.adoc[WebSocket Security] is `CsrfChannelInterceptor`.
			`XorCsrfChannelInterceptor` was added to allow opting into CSRF BREACH support.

			In Spring Security 6, `XorCsrfChannelInterceptor` is the default `ChannelInterceptor` for making the `CsrfToken` available.
			If you configured the `XorCsrfChannelInterceptor` only for the purpose of updating to 6.0, you can remove it completely.