Do not disable CSRF

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: java-security/spring-csrf-disable

Language: Java

Severity: Warning

Category: Security

Description

Disabling CSRF leads to security issues as the server may not be able to accurately identify a request.

Learn More

Non-Compliant Code Examples

class Test {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(
        auth ->
            auth.requestMatchers(
                    "/css/**",
                    "/images/**",
                    "/js/**",
                    "fonts/**",
                    "/plugins/**",
                    "/registration",
                    "/register.mvc",
                    "/actuator/**")
                .permitAll()
                .anyRequest()
                .authenticated());
    http.formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/welcome.mvc", true)
        .usernameParameter("username")
        .passwordParameter("password")
        .permitAll();
    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
    http.csrf().disable();

    http.headers().cacheControl().disable();
    http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
    return http.build();
  }
}