Skip to content

Commit

Permalink
Merge pull request #97 from erdlet/22-make-csrf-default-implicit
Browse files Browse the repository at this point in the history
Switch CSRF default to implicit
  • Loading branch information
erdlet authored Apr 30, 2023
2 parents f6c0af5 + dd8dd14 commit 62eec9f
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
4 changes: 2 additions & 2 deletions api/src/main/java/jakarta/mvc/security/Csrf.java
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,11 @@ enum CsrfOptions {
*/
OFF,
/**
* Enabling CSRF requires use of {@link CsrfProtected} explicitly (default).
* Enabling CSRF requires use of {@link CsrfProtected} explicitly.
*/
EXPLICIT,
/**
* CSRF enabled automatically for all controllers.
* CSRF enabled automatically for all controllers (default).
*/
IMPLICIT
};
Expand Down
2 changes: 1 addition & 1 deletion spec/src/main/asciidoc/chapters/security.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ Another way to convey this information to and from the client is via an HTTP hea
[tck-testable tck-id-csrf-verify]#Jakarta MVC implementations are REQUIRED to support CSRF tokens both as form fields (with the help of the application developer as shown above) and as HTTP headers#.

The application-level property `jakarta.mvc.security.CsrfProtection` enables CSRF protection when set to one of the possible values defined in `jakarta.mvc.security.Csrf.CsrfOptions`.
[tck-testable tck-id-csrf-opt-default]#The default value of this property is `CsrfOptions.EXPLICIT`#.
[tck-testable tck-id-csrf-opt-default]#The default value of this property is `CsrfOptions.IMPLICIT`#.
[tck-testable tck-id-csrf-inject-header]#Any other value than `CsrfOptions.OFF` will automatically inject a CSRF token as an HTTP header#.
[tck-testable tck-id-csrf-custom-header-name]#The actual name of the header can be configured via the `Csrf.CSRF_HEADER_NAME` configuration property#.
[tck-testable tck-id-csrf-default-header-name]#The default name of the header is `Csrf.DEFAULT_CSRF_HEADER_NAME`#.
Expand Down

0 comments on commit 62eec9f

Please sign in to comment.