Spring CSRF protection disabled

Bug Pattern: SPRING_CSRF_PROTECTION_DISABLED

Disabling Spring Security’s CSRF protection is unsafe for standard web applications.

A valid use case for disabling this protection would be a service exposing state-changing operations that is guaranteed to be used only by non-browser clients.

Insecure configuration:

  1. @EnableWebSecurity
  2. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  4.     @Override
  5.     protected void configure(HttpSecurity http) throws Exception {
  6.         http.csrf().disable();
  7.     }
  8. }

References
Spring Security Official Documentation: When to use CSRF protection
OWASP: Cross-Site Request Forgery
OWASP: CSRF Prevention Cheat Sheet
CWE-352: Cross-Site Request Forgery (CSRF)