56 lines
1.4 KiB
Plaintext
56 lines
1.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-using[Spring Security] provides by default a protection against CSRF attacks which can be disabled:
|
|
|
|
----
|
|
@EnableWebSecurity
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.csrf().disable(); // Sensitive: csrf protection is entirely disabled
|
|
// or
|
|
http.csrf().ignoringAntMatchers("/route/"); // Sensitive: csrf protection is disabled for specific routes
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-using[Spring Security] CSRF protection is enabled by default, do not disable it:
|
|
|
|
[source,java]
|
|
----
|
|
@EnableWebSecurity
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
// http.csrf().disable(); // Compliant
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|