From 4e61136948c459dbb37b4d032dba2e397374cb33 Mon Sep 17 00:00:00 2001
From: Madhura Bhave <mbhave@pivotal.io>
Date: Fri, 16 Feb 2018 14:43:50 -0800
Subject: [PATCH] Enable CSRF protection by default

See gh-11758
---
 .../boot/autoconfigure/security/SecurityProperties.java   | 3 +--
 .../autoconfigure/security/SecurityPropertiesTests.java   | 8 ++++++++
 .../main/asciidoc/appendix-application-properties.adoc    | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
index f825252c7f..1b5f828824 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
@@ -75,8 +75,7 @@ public class SecurityProperties implements SecurityPrerequisite {
 	/**
 	 * Enable Cross Site Request Forgery support.
 	 */
-	// Flip this when session creation is disabled by default
-	private boolean enableCsrf = false;
+	private boolean enableCsrf = true;
 
 	private Basic basic = new Basic();
 
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
index b032dbecb7..d6cbdaa913 100644
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
@@ -122,4 +122,12 @@ public class SecurityPropertiesTests {
 		assertThat(this.security.getUser().getRole().toString()).isEqualTo("[ADMIN]");
 	}
 
+	@Test
+	public void testCSrf() {
+		assertThat(this.security.isEnableCsrf()).isEqualTo(true);
+		this.binder.bind(new MutablePropertyValues(
+				Collections.singletonMap("security.enable-csrf", false)));
+		assertThat(this.security.isEnableCsrf()).isEqualTo(false);
+	}
+
 }
diff --git a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
index ea49473b3b..1380df7ab7 100644
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@@ -447,7 +447,7 @@ content into your application; rather pick only the properties that you need.
 	security.basic.enabled=true # Enable basic authentication.
 	security.basic.path=/** # Comma-separated list of paths to secure.
 	security.basic.realm=Spring # HTTP basic realm name.
-	security.enable-csrf=false # Enable Cross Site Request Forgery support.
+	security.enable-csrf=true # Enable Cross Site Request Forgery support.
 	security.filter-order=0 # Security filter chain order.
 	security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST # Security filter chain dispatcher types.
 	security.headers.cache=true # Enable cache control HTTP headers.