Rule Definition
When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. There multiple forms of Cross-Site Request Forgery (CSRF) attacks that can be avoided using Spring Security.

Remediation
CSRF protection must be enabled. As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. http csrf disabled="false" http

Violation Code Sample

As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below.
http
    csrf disabled="true"
http
-------------------
In the older XML config (pre Spring Security 4), CSRF protection was disabled by default.
--------------------
JAVA Configuration :

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
              http
              .csrf().disable();     //CSRF Protection is disabled
       }
}

Fixed Code Sample

As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration.
http
    csrf disabled="false"
http
_____________
In the older XML config (pre Spring Security 4), CSRF protection was disabled by default and we could enable it as follows:

{code}
http
    ...
    csrf
http
{code}

https://cwe.mitre.org/data/definitions/352.html https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) http://www.baeldung.com/spring-security-csrf https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-use-proper-verbs