Enable CSRF protection by default
See gh-11758
This commit is contained in:
@@ -75,8 +75,7 @@ public class SecurityProperties implements SecurityPrerequisite {
|
||||
/**
|
||||
* Enable Cross Site Request Forgery support.
|
||||
*/
|
||||
// Flip this when session creation is disabled by default
|
||||
private boolean enableCsrf = false;
|
||||
private boolean enableCsrf = true;
|
||||
|
||||
private Basic basic = new Basic();
|
||||
|
||||
|
||||
@@ -122,4 +122,12 @@ public class SecurityPropertiesTests {
|
||||
assertThat(this.security.getUser().getRole().toString()).isEqualTo("[ADMIN]");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSrf() {
|
||||
assertThat(this.security.isEnableCsrf()).isEqualTo(true);
|
||||
this.binder.bind(new MutablePropertyValues(
|
||||
Collections.singletonMap("security.enable-csrf", false)));
|
||||
assertThat(this.security.isEnableCsrf()).isEqualTo(false);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -447,7 +447,7 @@ content into your application; rather pick only the properties that you need.
|
||||
security.basic.enabled=true # Enable basic authentication.
|
||||
security.basic.path=/** # Comma-separated list of paths to secure.
|
||||
security.basic.realm=Spring # HTTP basic realm name.
|
||||
security.enable-csrf=false # Enable Cross Site Request Forgery support.
|
||||
security.enable-csrf=true # Enable Cross Site Request Forgery support.
|
||||
security.filter-order=0 # Security filter chain order.
|
||||
security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST # Security filter chain dispatcher types.
|
||||
security.headers.cache=true # Enable cache control HTTP headers.
|
||||
|
||||
Reference in New Issue
Block a user