Recipe Name:
CSRF: Disabled CSRF protection (AbstractHttpConfigurer)
Description:
Disabling Spring Security's CSRF protection makes the application vulnerable
Level:
error
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
Documentation
Spring Security by default provides protection against Cross-Site Request Forgery (CSRF) attacks. Disabling it would put the application at risk.
Beforehttp.csrf().disable();After
http.csrf();References
Recipe
id: scw:spring:csrf:disabled-AbstractHttpConfigurer
version: 10
metadata:
name: 'CSRF: Disabled CSRF protection (AbstractHttpConfigurer)'
shortDescription: Disabling Spring Security's CSRF protection makes the application vulnerable
level: error
language: java
scwCategory: csrf:csrf
cweCategory: 352
enabled: true
descriptionFile: descriptions/CSRFprotectiondonotdisabledefaultprotection.html
tags: Spring;security;framework specific;web;Spring Security;CSRF;OWASP Top 10
search:
methodcall:
name: disable
declaration:
type: org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
"on":
methodcall:
name: csrf
availableFixes:
- name: Enable CSRF protection
actions:
- rewrite:
to: '{{{ qualifier }}}'
target: self