CSRF: Disabled CSRF protection (HttpSecurity) :: Recipe Details

Recipe Name:

CSRF: Disabled CSRF protection (HttpSecurity)

Description:

Disabling Spring Security's CSRF protection makes the application vulnerable

Level:

error

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security
CSRF
OWASP Top 10

Documentation

Spring Security by default provides protection against Cross-Site Request Forgery (CSRF) attacks. Disabling it would put the application at risk.

Before

http.csrf().disable();

After

http.csrf();

References

Recipe

id: scw:spring:csrf:disabled-HttpSecurity
version: 10
metadata:
  name: 'CSRF: Disabled CSRF protection (HttpSecurity)'
  shortDescription: Disabling Spring Security's CSRF protection makes the application vulnerable
  level: error
  language: java
  scwCategory: csrf:csrf
  cweCategory: 352
  enabled: true
  descriptionFile: descriptions/CSRFprotectiondonotdisabledefaultprotection.html
  tags: Spring;security;framework specific;web;Spring Security;CSRF;OWASP Top 10
search:
  methodcall:
    name: disable
    "on":
      methodcall:
        name: csrf
        anyOf:
        - type: org.springframework.security.config.web.server.ServerHttpSecurity
        - type: org.springframework.security.config.web.server.HttpSecurity
availableFixes:
- name: Enable CSRF protection
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'
      target: self