CSRF protection disabled in Spring

Description

Disabling CSRF protection via `.csrf().disable()` in Spring Security is dangerous. It allows attackers to exploit authenticated sessions via malicious links or forms.

Examples

Insecure Code

java

HttpSecurity http = http.csrf().disable();

Secure Code

java

HttpSecurity http = http.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/api/**"));

Remediation

Remove `.csrf().disable()` unless explicitly justified. Use CSRF tokens and SameSite cookies for protection.

Rule Details

Field	Value
ID	CODE-0279
Category	Web
Severity	MEDIUM
CWE	CWE-352
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	csrf, spring-security
OWASP	A5:2017-Broken Access Control, A01:2021-Broken Access Control

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

CSRF protection disabled in Spring

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

CSRF protection disabled in Spring ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

CSRF protection disabled in Spring

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details