For the latest stable version, please use Spring Security 6.1.12!

Exploit Protection Migrations

The 5.8 migration guide contains several steps for exploit protection migrations when updating to 6.0. You are encouraged to follow those steps first.

The following steps relate to how to finish migrating exploit protection support.

Defer Loading CsrfToken

In Spring Security 5.8, the default CsrfTokenRequestHandler for making the CsrfToken available to the application is CsrfTokenRequestAttributeHandler. The default for the field csrfRequestAttributeName is null, which causes the CSRF token to be loaded on every request.

In Spring Security 6, csrfRequestAttributeName defaults to _csrf. If you configured the following only for the purpose of updating to 6.0, you can now remove it:

requestHandler.setCsrfRequestAttributeName("_csrf");

Protect against CSRF BREACH

In Spring Security 5.8, the default CsrfTokenRequestHandler for making the CsrfToken available to the application is CsrfTokenRequestAttributeHandler. XorCsrfTokenRequestAttributeHandler was added to allow opting into CSRF BREACH support.

In Spring Security 6, XorCsrfTokenRequestAttributeHandler is the default CsrfTokenRequestHandler for making the CsrfToken available. If you configured the XorCsrfTokenRequestAttributeHandler only for the purpose of updating to 6.0, you can remove it completely.

If you have set the csrfRequestAttributeName to null in order to opt out of deferred tokens, or if you have configured a CsrfTokenRequestHandler for any other reason, you can leave the configuration in place.

CSRF BREACH with WebSocket support

In Spring Security 5.8, the default ChannelInterceptor for making the CsrfToken available with WebSocket Security is CsrfChannelInterceptor. XorCsrfChannelInterceptor was added to allow opting into CSRF BREACH support.

In Spring Security 6, XorCsrfChannelInterceptor is the default ChannelInterceptor for making the CsrfToken available. If you configured the XorCsrfChannelInterceptor only for the purpose of updating to 6.0, you can remove it completely.