@RequestMapping
must restrict the allowed HTTP methods JAVA-S1065Request handlers annotated with @RequstMapping
must limit the allowed HTTP methods.
Request handlers annotated with @RequstMapping
are mapped to all HTTP request methods. For security reasons, CSRF protection
is disabled for GET
, HEAD
, TRACE
, and OPTIONS
requests by default. If a request handler annotated with @RequestMapping
happens to modify application state and the allowed HTTP method is not narrowed down to POST
, PUT
, DELETE
, and/or PATCH
,
such misconfigurations can make your application susceptible to CSRF attacks.
@RequestMapping("/path")
public void saveToDB() {
// ...proceed to modify application state
}
When using @RequestMapping
, make sure to always limit which HTTP methods are allowed.
@RequestMapping(value = "/path", method = RequestMethod.POST)
public void saveToDB() {
// ...proceed to modify application state
}