Why @NoCSRFRequired for an apps's REST API?


I’m currently developing an app that will expose some REST API resources so that another system can integrate with Nextcloud.

I wonder why the official tutorial at https://docs.nextcloud.com/server/21/developer_manual/app_development/tutorial.html#adding-a-restful-api-optional recommends to add the @NoCSRFRequired annotation to controller methods. It says:

The only pieces that need to be changed are the annotations which disable the CSRF check (not needed for a REST call usually)

Why should CSRF checking not be needed for REST?

Because if the API allows to change the state of resources, can’t the user be tricked to submit a forged request?

Side note: I already tried to keep CSRF active and construct a sample script with cURL that sends the CSRF token. Unfortunately I had no success so far.

The tutorial is a guideline. If you think CSRF should be checked then don’t add the annotation.

Thanks for your quick response.

Taking the notes app from the tutorial, which allows to create, update and destroy notes, wouldn’t a CSRF check be mandatory from a security perspective? However, I am unsure if I am misunderstanding CSRF or how @NoCSRFRequired works. That’s why I am asking.

When I add @NoCSRFRequired to my ApiController method and when I am logged in in Nextcloud in my browser, I can send a request to the API successfully in a second tab. If this request is changing state (like deleting a note in the tutorial), wouldn’t the app be vulnerable against a CSRF attack?

For those coming here in the future: When disabling CSRF checking through the @NoCSRFRequired annotation, and adding the @CORS annotation as recommended in the docs, then you’re safe.


Because @CORS is enforcing basic auth and thus disallows session authentication. See https://github.com/nextcloud/server/blob/66641b6e6516eb0b2867506a09f4977b850a21bc/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php#L84. I’ve just not found it in docs and I believe this fact isn’t mentioned.