java - CSRF token protection with AJAX GET method -

i'm bit confused online information.

i'm using csrf protection using spring security on back-end.

i wanted ask safe send csrf token angular front-end, while i'm passing token within http header using ajax method?

because according spring docs shouldn't use method, on other hand doesn't if it's okay use ajax when pass in http header.

second,

if shouldn't use get, how use rest service & csrf protection? should give method or csrf protection?

since requests should not modify state on server , should "read-only" csrf protection should not needed requests.

the problem leakage related browser usage because requests not contain body , token sent request parameter. csrf token visible through shoulder surfing, stored bookmark, appear in browser history or logged on server (altough logging applies ajax requests).

since talking ajax requests of leakage not apply, although setting in header may in case of urls appearing in logs, logs contain headers.

but using custom header (with or without token) used prevent csrf attacks because ajax requests cannot set custom headers cross-domain other than

• accept
• accept-language
• content-language
• last-event-id
• content-type

thus using custom header x-requested-with: xmlhttprequest e.g. set jquery , verifying header on server can prevent csrf attacks.

last not least there 1 interesing article having same token , post requests , having same-origin access request via xss vulnerability of separate web application in same origin token can leaked request , used post. solution there either not use csrf tokens or use different tokens , post.

basically regarding questions, if not have side-effects, csrf token not needed not hurt. on other hand, if request changes on server, should think using verb (e.g. post) depending on want , protect post requests csrf token or custom header.