40 lines
1.1 KiB
Plaintext
40 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html[Spring Security] provides by default a protection against CSRF attacks which can be disabled:
|
|
|
|
----
|
|
@EnableWebSecurity
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.csrf().disable(); // Sensitive: csrf protection is entirely disabled
|
|
// or
|
|
http.csrf().ignoringAntMatchers("/route/"); // Sensitive: csrf protection is disabled for specific routes
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html[Spring Security] CSRF protection is enabled by default, do not disable it:
|
|
|
|
----
|
|
@EnableWebSecurity
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
// http.csrf().disable(); // Compliant
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|