CSRF Token in REST API with authentication

Yes, you don't need CSRF protection when using a bearer scheme authentication as the browser does not automatically add the Authorization header to the request.

You do need CSRF protection for cookies, basic, Windows, digest and client certificates authentication schemes as these are automatically added by the browser.

See also Dominick Baier's article on implicit vs explicit authentication: http://leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/

CSRF Token in REST API with authentication

Tags:

Authentication

Rest

Http Headers

Restful Authentication

Csrf

Related

Recent Posts