Enable CSRF protection by default

See gh-11758

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java

@@ -75,8 +75,7 @@ public class SecurityProperties implements SecurityPrerequisite {
 	/**
 	 * Enable Cross Site Request Forgery support.
 	 */
-	// Flip this when session creation is disabled by default
-	private boolean enableCsrf = false;
+	private boolean enableCsrf = true;
 
 	private Basic basic = new Basic();
 

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java

@@ -122,4 +122,12 @@ public class SecurityPropertiesTests {
 		assertThat(this.security.getUser().getRole().toString()).isEqualTo("[ADMIN]");
 	}
 
+	@Test
+	public void testCSrf() {
+		assertThat(this.security.isEnableCsrf()).isEqualTo(true);
+		this.binder.bind(new MutablePropertyValues(
+				Collections.singletonMap("security.enable-csrf", false)));
+		assertThat(this.security.isEnableCsrf()).isEqualTo(false);
+	}
+
 }

spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc

@@ -447,7 +447,7 @@ content into your application; rather pick only the properties that you need.
 	security.basic.enabled=true # Enable basic authentication.
 	security.basic.path=/** # Comma-separated list of paths to secure.
 	security.basic.realm=Spring # HTTP basic realm name.
-	security.enable-csrf=false # Enable Cross Site Request Forgery support.
+	security.enable-csrf=true # Enable Cross Site Request Forgery support.
 	security.filter-order=0 # Security filter chain order.
 	security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST # Security filter chain dispatcher types.
 	security.headers.cache=true # Enable cache control HTTP headers.