Do not disable CSRF

Metadata

ID: java-security/spring-csrf-disable

Language: Java

Severity: Warning

Category: Security

CWE: 352

Description

Disabling CSRF leads to security issues as the server may not be able to accurately identify a request.

Learn More

Non-Compliant Code Examples

class Test {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(
        auth ->
            auth.requestMatchers(
                    "/css/**",
                    "/images/**",
                    "/js/**",
                    "fonts/**",
                    "/plugins/**",
                    "/registration",
                    "/register.mvc",
                    "/actuator/**")
                .permitAll()
                .anyRequest()
                .authenticated());
    http.formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/welcome.mvc", true)
        .usernameParameter("username")
        .passwordParameter("password")
        .permitAll();
    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
    http.csrf().disable();

    http.headers().cacheControl().disable();
    http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
    return http.build();
  }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: rtrieu/product-analytics-ui-changes