Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4502

Disabling Spring Security's CSRF protection is security-sensitive

    Details

    • Message:
      Make sure disabling Spring Security's CSRF protection is safe here.
    • Highlighting:
      Hide

      the "disable()" of this call http.csrf().disable()

      Show
      the "disable()" of this call http.csrf().disable()
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-352
    • OWASP:
      A6
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindSecBugs:
      SPRING_CSRF_PROTECTION_DISABLED

      Description

      Spring Security is coming out of the box with a protection against CSRF attacks. With 4.0, this protection is even enabled by default. Spring's recommendation is to "use CSRF protection for any request that could be processed by a browser by normal users". So there is no reason to disable it for standard web applications.

      Recommended Secure Coding Practices

      • activate Spring Security's CSRF protection.

      Noncompliant Code Example

      @EnableWebSecurity
      public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      
        @Override
        protected void configure(HttpSecurity http) throws Exception {
      	  http.csrf().disable(); // Noncompliant
      	}
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: