CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.

<body onload="document.forms[0].submit()">
<form>
<form action="http://mybank.com/account/transfer_money" method="POST">
    <input type="hidden" name="accountNo" value="attacker_account_123456"/>
    <input type="hidden" name="amount" value="10000"/>
    <input type="submit" value="Steal money"/>
</form>

If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

Spring Security provides by default a protection against CSRF attacks.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable(); // Sensitive
  }
}

Compliant Solution

With Spring Security CSRF protection is enabled by default, do not disable it.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // http.csrf().disable(); // Compliant
  }
}

See