CodeQL documentation

Disabled Spring CSRF protection

ID: java/spring-disabled-csrf-protection
Kind: problem
Severity: error
Precision: high
   - security
   - external/cwe/cwe-352
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

When you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.


When you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.


The following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.

import org.springframework.context.annotation.Configuration;

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  protected void configure(HttpSecurity http) throws Exception {
      .csrf(csrf ->
        // BAD - CSRF protection shouldn't be disabled