PlayFramework 2.3: Global CSRF Protection – Disable CSRF selectively

I’m using PlayFramework 2.3 [1] on a new project of mine. Because I want the project to be safe by default, I enabled CSRF (Cross Site Request Forgery) Protection globally [2] [3].
In this project, I’m doing a pass-through of some legacy pages using a custom proxy I’ve built. These pages don’t know the concept of CSRF-Tokens and therefor need to be excluded from CSRF checking.
Unfortunately the PlayFrameworks CSRF-Filter currently only allows to either disable CSRF Protection globally and only enable it on certain actions or enable it globally and disable it nowhere… that’s not really what I want..

To accomplish my goal, I had to create a little hack.. thanks to the decorator pattern [4] it is only a few lines of code. It consists of 3 easy steps.

1. Adjust your Global.scala file like this

2. Adjust your routes file. Actions that should be excluded from the CSRF Check need a comment #NOCSRF above them like this

3. This is it basically. If you need your page to have a CSRF Token available (because it e.g. contains a login form), annotate or wrap your actions accordingly

For Scala:

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *