I have this app:

And I’m wondering how do I properly secure it? The app has:

  • Server-rendered pages with Thymeleaf.
  • An API providing data for the pages.

What’s the proper way to secure and its underlying limitations considering this architecture?

Some questions that pop on my mind, to help you understand why I’m asking:

  • Can I go with Spring Security defaults (adding csrf token on my forms that POST/PUT with Vue.js)?
  • How do I integrate this with my DELETE via API, for example?
  • Should I disable csrf?
  • Does this architecture makes sense? What are the caveats?


Cover image from Christoph Scholz.

This post is also available on DEV.