2020-06-30 14:41:58 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
2021-11-22 18:34:02 +01:00
https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-using[Spring Security] provides by default a protection against CSRF attacks which can be disabled:
2020-06-30 14:41:58 +02:00
----
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
2021-01-29 15:53:23 +01:00
http.csrf().disable(); // Sensitive: csrf protection is entirely disabled
// or
http.csrf().ignoringAntMatchers("/route/"); // Sensitive: csrf protection is disabled for specific routes
2020-06-30 14:41:58 +02:00
}
}
----
== Compliant Solution
2021-11-22 18:34:02 +01:00
https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-using[Spring Security] CSRF protection is enabled by default, do not disable it:
2020-06-30 14:41:58 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 14:41:58 +02:00
----
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.csrf().disable(); // Compliant
}
}
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2023-06-22 10:38:01 +02:00
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
