How To Fix Veracode Cross-Site Request Forgery (CSRF) — CWE ID 352

In this tutorial , we will learn How to fix Veracode Authentication issue after Enabling the CSRF.

Veracode issue in the below code snippet because we have disabled CSRF.

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.cors().and()
            .csrf().disable()
            .authorizeHttpRequests()
            .antMatchers(corsConfiguration)
            .permitAll()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

}

Solution in the below code snippet :

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.cors().and()
            //.csrf().disable()
            .csrf().ignoringAntMatchers("/api/**").and()
            .authorizeHttpRequests()
            .antMatchers(corsConfiguration)
            .permitAll()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

}

So here we are just ignoring some routes. we explicitly state to ignore any request that starts with “/api/”.