Is desactiving CSRF safe ?

[MiniPlayer]

USER STORY

We added spring security to our Rest api but desactivated csrf for convenience (to not handle csrf token). Is this really safe ? (we have a stateless rest api).

ACCEPTANCE CRITERIA

1. 1. 1.

DEFINITION OF DONE

• Code builds without warnings (technical task)
• Code unit tested (technical task)
• Code is reviewed by a peer colleague
• Documentation updated (user story)
• Build pushed to demo server (user story)

[amarziali]

My two cents:

we use JWT tokens and no cookies (no session on server side for anything)

There is nothing exploitable for a blind CSRF attack (unless proof of contrary).