CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.

<body onload="document.forms[0].submit()">
<form>
<form action="http://mybank.com/account/transfer_money" method="POST">
    <input type="hidden" name="accountNo" value="attacker_account_123456"/>
    <input type="hidden" name="amount" value="10000"/>
    <input type="submit" value="Steal money"/>
</form>

If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

Spring Security provides by default a protection against CSRF attacks.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable(); // Sensitive
  }
}

Compliant Solution

With Spring Security CSRF protection is enabled by default, do not disable it.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // http.csrf().disable(); // Compliant
  }
}

See