Do not disable CSRF

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Do not disable CSRF

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: java-security/spring-csrf-disable

Language: Java

Severity: Warning

Category: Security

CWE: 352

Description

Disabling CSRF leads to security issues as the server may not be able to accurately identify a request.

Learn More

CWE-352

Non-Compliant Code Examples

class Test {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(
        auth ->
            auth.requestMatchers(
                    "/css/**",
                    "/images/**",
                    "/js/**",
                    "fonts/**",
                    "/plugins/**",
                    "/registration",
                    "/register.mvc",
                    "/actuator/**")
                .permitAll()
                .anyRequest()
                .authenticated());
    http.formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/welcome.mvc", true)
        .usernameParameter("username")
        .passwordParameter("password")
        .permitAll();
    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
    http.csrf().disable();

    http.headers().cacheControl().disable();
    http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
    return http.build();
  }
}

Compliant Code Examples

class Test {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(
        auth ->
            auth.requestMatchers("/api/**")
                .authenticated());
    http.formLogin()
        .loginPage("/login")
        .permitAll();
    // CSRF is enabled by default, not calling disable()
    return http.build();
  }
}