I would like to know is there any proper way to enable CSRF protection on all GET request's of the application? at the moment I have implemented it on all POST request using javax.servlet.Filter and then enabling it inside the JSP's POST methods hidden fields like this
<input type="hidden" name="csrf-token" value="${my_csrf_token}" />
Did same for GET requests as well, appending the token to parameters like this
$.ajax({
url: "${pageContext.request.contextPath}/Someprocess.do",
type: "GET",
data: {param1: request.param1, param2: "param2", csrf_token: "${CSRF_TOKEN}"},
dataType: "json",
success: function (data) {
response(data);
}
});
but it gets displayed in URL
domain?params=params&csrf_token=token
would much appreciate good hints.
Your protection mechanism will depend on your authentication type. For stateful authentication you could implement JWT. If you only use authentication via Bearer tokens and not via cookies then CSRF vulnerability shouldn't be a problem.
If you want stateless authentication, then you will be prone to CSRF even with JWT token. You will need an information that isn't included in a cookie, some CSRF mitigation mechanism, for example you could use a CSRF token.