A cross-site request forgery (CSRF) attack occurs when a trusted user of a web application can be forced, by an attacker, to perform sensitive actions that he didn't intend, such as updating his profile or sending a message, more generally anything that can change the state of the application.
The attacker can trick the user/victim to click on a link, corresponding to the privileged action, or to visit a malicious web site that embeds a hidden web request and as web browsers automatically include cookies, the actions can be authenticated and sensitive.
There is a risk if you answered yes to any of those questions.
GET
which are designed to be
used only for information retrieval. Spring Security provides by default a protection against CSRF attacks which can be disabled:
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); // Sensitive: csrf protection is entirely disabled // or http.csrf().ignoringAntMatchers("/route/"); // Sensitive: csrf protection is disabled for specific routes } }
Spring Security CSRF protection is enabled by default, do not disable it:
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // http.csrf().disable(); // Compliant } }