Original issue MVC_SPEC-67 created by Christian Kaltepoth:
Currently CsrfOptions.OFF is the default. This is confusing because adding @CsrfValid to controller methods simply doesn't work without setting CsrfOptions.EXPLICIT in the global configuration.
Instead CsrfOptions.EXPLICIT should be the default. This way adding @CsrfValid will work immediately and people can still completely disable CSRF protection if they want by setting it to CsrfOptions.OFF.
chkal
commented
7 years ago
Original issue MVC_SPEC-67 created by Christian Kaltepoth:
Currently CsrfOptions.OFF is the default. This is confusing because adding @CsrfValid to controller methods simply doesn't work without setting CsrfOptions.EXPLICIT in the global configuration.
Instead CsrfOptions.EXPLICIT should be the default. This way adding @CsrfValid will work immediately and people can still completely disable CSRF protection if they want by setting it to CsrfOptions.OFF.
Corresponding mailing list discussion:
https://java.net/projects/mvc-spec/lists/users/archive/2016-06/message/53
Pull request:
https://github.com/mvc-spec/mvc-spec/pull/9