CSRF Protection Disabled in Spring Security

Medium Risk Authentication & Authorization
javaspringcsrfweb-securitysession-management

What it is

Cross-Site Request Forgery (CSRF) vulnerabilities occur when Spring Security CSRF protection is disabled via csrf().disable(). This allows attackers to craft malicious web pages that, when visited by authenticated users, can perform unauthorized state-changing actions like changing passwords, transferring funds, or modifying account settings using the victim's session.

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authz -> authz
                .anyRequest().authenticated()
            )
            .formLogin(form -> form.loginPage("/login"))
            // VULNERABLE: CSRF protection disabled
            .csrf(csrf -> csrf.disable());
        
        return http.build();
    }
}

@RestController
public class AccountController {
    // Vulnerable to CSRF - no token validation
    @PostMapping("/api/account/change-password")
    public ResponseEntity<String> changePassword(
            @RequestParam String newPassword) {
        userService.changePassword(newPassword);
        return ResponseEntity.ok("Password changed");
    }
}
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authz -> authz
                .anyRequest().authenticated()
            )
            .formLogin(form -> form.loginPage("/login"))
            // SECURE: CSRF protection enabled
            .csrf(csrf -> csrf
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            );
        
        return http.build();
    }
}

@RestController
public class AccountController {
    // Secure: CSRF token automatically validated by Spring
    @PostMapping("/api/account/change-password")
    public ResponseEntity<String> changePassword(
            @RequestParam String newPassword) {
        userService.changePassword(newPassword);
        return ResponseEntity.ok("Password changed");
    }
}

💡 Why This Fix Works

The vulnerable code disables CSRF protection with csrf().disable(), allowing attackers to forge requests from malicious sites using victims' authenticated sessions. The secure version enables CSRF protection, requiring valid CSRF tokens for all state-changing requests.

Why it happens

Explicitly disabling CSRF protection in Spring Security configuration.

Root causes

Calling csrf().disable()

Explicitly disabling CSRF protection in Spring Security configuration.

Missing CSRF Tokens in Forms

Not including CSRF tokens in HTML forms and AJAX requests.

Cookie-Based Sessions Without CSRF

Using cookie-based authentication without CSRF token validation.

Fixes

1

Enable CSRF Protection

Remove csrf().disable() from Spring Security configuration.

2

Include CSRF Tokens in Forms

Add ${_csrf.token} to all state-changing forms and AJAX requests.

3

Configure CSRF Token Repository

Use CookieCsrfTokenRepository for token storage and management.

Detect This Vulnerability in Your Code

Sourcery automatically identifies csrf protection disabled in spring security and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities