Conversation
…t-api Feature/chatlist api
…g-api [feature] Chatting API implementation
…onse [hotix] Change ResponseEntity to ApiResponse
…ct/Backend into bugfix/mapping-name-rule-fix
…ousProfile Feature/anonymous profile
…ystem [feature] vote system
…endpoint-fix [hotix] Add Websocket, Chatlist endpoint in SecurityConfig
…endpoint-fix [hotix] Add Websocket, Chatlist endpoint in SecurityConfig
…contraint [hotix] delete all contraints
Added `.dockerignore` Added `Dockerfile.backend` which describes how to build and dockerize the Bravest backend WAS Added BACKED_DEPLOYMENT.md document to explain the purpose of the Dockerfile Removed compose.yaml to reduce further confusion
…ize-backend [feature] Add backend dockerfile and deployment doc
Add an action manually triggered on github, checks if `gradlew clean build` succeeds
chore: Add backend-manual-build.yml
…github-action Add Korean guidance to CodeQL workflow
Ci/add workflow
changing for push main & develop
ci/cd - dependency security check
…w-second ci/cd - dependency security check
…w-third [ci/cd] Adding workflow file assign PR assignee and reviewers
…w-docker-compose [ci/cd] Adding workflow file test docker-compose.yaml
…ird-docker-compose-fix [ci/cd] fix dockercompose-test.yml syntax error
…ird-docker-compose-fix [ci/cd] fix dockercompose-test.yml password syntax error
…ird-docker-compose-fix [ci/cd] fix dockercompose-test.yml syntax error
…urth-code-style [ci/cd] add code style checker workflow
…urth-code-style [ci/cd] refactor all of file
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| http | ||
| // REST API 기본 세팅 | ||
| .csrf(csrf -> csrf.disable()).cors(Customizer.withDefaults()) |
Check failure
Code scanning / CodeQL
Disabled Spring CSRF protection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To address the issue, CSRF protection should not be disabled globally. The simplest and safest fix is to remove the explicit .csrf(csrf -> csrf.disable()), allowing Spring Security's default CSRF protection to apply to the endpoints. If there are endpoints that must remain CSRF-unprotected for non-browser interactions (such as stateless APIs with bearer tokens), they should be explicitly excluded from CSRF protection using .csrf().ignoringRequestMatchers(...) with strict matching, rather than disabling it globally. However, with only the snippet provided, the best action is to remove the .csrf(csrf -> csrf.disable()) and allow the Spring default to apply, as that will not alter the rest of the security flow.
The required change is localized to the SecurityConfig.java file, specifically the method chain starting at line 51. No new imports or definitions are required; just edit the .csrf(csrf -> csrf.disable()) part.
| @@ -50,7 +50,7 @@ | ||
|
|
||
| http | ||
| // REST API 기본 세팅 | ||
| .csrf(csrf -> csrf.disable()).cors(Customizer.withDefaults()) | ||
| .cors(Customizer.withDefaults()) | ||
| .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) | ||
| .httpBasic(basic -> basic.disable()).formLogin(form -> form.disable()) | ||
| .logout(lo -> lo.disable()).requestCache(cache -> cache.disable()) |
3 participants
No description provided.