Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Avoid disabling Spring CSRF protection without a stateless API hardening story

Disabling CSRF globally is unsafe for cookie-backed browser sessions unless the app is clearly hardened as a stateless API (for example OAuth2 resource server with stateless sessions).

#Metadata

Rule ID
java.security.spring-csrf-globally-disabled
Severity
high
Confidence
0.78
Languages
java
Presets
security, strict
Stability
experimental
Applies to
block
Tags
csrf, java, rules-catalog, security, spring, spring-security

#Why it matters

CSRF protects browser clients that send session cookies; turning it off without token-based or stateless mitigations invites cross-site request forgery against privileged actions.

#Remediation

Prefer CSRF tokens for cookie sessions, use `oauth2ResourceServer` with JWT for APIs, or set `SessionCreationPolicy.STATELESS` with a reviewed token story instead of blanket `csrf().disable()`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.spring-csrf-globally-disabled.rule.yaml.

Back to directoryOpen rule in repository