Do not disable CSRF

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST ルール > Do not disable CSRF

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: java-security/spring-csrf-disable

Language: Java

Severity: Warning

Category: Security

CWE: 352

Description

Disabling CSRF leads to security issues as the server may not be able to accurately identify a request.

Learn More

CWE-352

Non-Compliant Code Examples

class Test {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(
        auth ->
            auth.requestMatchers(
                    "/css/**",
                    "/images/**",
                    "/js/**",
                    "fonts/**",
                    "/plugins/**",
                    "/registration",
                    "/register.mvc",
                    "/actuator/**")
                .permitAll()
                .anyRequest()
                .authenticated());
    http.formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/welcome.mvc", true)
        .usernameParameter("username")
        .passwordParameter("password")
        .permitAll();
    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
    http.csrf().disable();

    http.headers().cacheControl().disable();
    http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
    return http.build();
  }
}

Compliant Code Examples

class Test {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(
        auth ->
            auth.requestMatchers("/api/**")
                .authenticated());
    http.formLogin()
        .loginPage("/login")
        .permitAll();
    // CSRF is enabled by default, not calling disable()
    return http.build();
  }
}