From c2f7dd86dca1e6f9f25562ffbc326651f0f0c325 Mon Sep 17 00:00:00 2001
From: Madhura Bhave <mbhave@pivotal.io>
Date: Wed, 28 Feb 2018 08:54:43 -0800
Subject: [PATCH] Revert default for CRSF enabled to false

Fixes gh-12267
---
 .../boot/autoconfigure/security/SecurityProperties.java   | 2 +-
 .../autoconfigure/security/SecurityPropertiesTests.java   | 8 ++++----
 .../main/asciidoc/appendix-application-properties.adoc    | 2 +-
 .../src/main/asciidoc/spring-boot-features.adoc           | 4 +++-
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
index 1b5f828824..db410ba79b 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
@@ -75,7 +75,7 @@ public class SecurityProperties implements SecurityPrerequisite {
 	/**
 	 * Enable Cross Site Request Forgery support.
 	 */
-	private boolean enableCsrf = true;
+	private boolean enableCsrf = false;
 
 	private Basic basic = new Basic();
 
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
index d6cbdaa913..7bc42831ed 100644
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
@@ -123,11 +123,11 @@ public class SecurityPropertiesTests {
 	}
 
 	@Test
-	public void testCSrf() {
-		assertThat(this.security.isEnableCsrf()).isEqualTo(true);
-		this.binder.bind(new MutablePropertyValues(
-				Collections.singletonMap("security.enable-csrf", false)));
+	public void testCsrf() {
 		assertThat(this.security.isEnableCsrf()).isEqualTo(false);
+		this.binder.bind(new MutablePropertyValues(
+				Collections.singletonMap("security.enable-csrf", true)));
+		assertThat(this.security.isEnableCsrf()).isEqualTo(true);
 	}
 
 }
diff --git a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
index 1380df7ab7..ea49473b3b 100644
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@@ -447,7 +447,7 @@ content into your application; rather pick only the properties that you need.
 	security.basic.enabled=true # Enable basic authentication.
 	security.basic.path=/** # Comma-separated list of paths to secure.
 	security.basic.realm=Spring # HTTP basic realm name.
-	security.enable-csrf=true # Enable Cross Site Request Forgery support.
+	security.enable-csrf=false # Enable Cross Site Request Forgery support.
 	security.filter-order=0 # Security filter chain order.
 	security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST # Security filter chain dispatcher types.
 	security.headers.cache=true # Enable cache control HTTP headers.
diff --git a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
index 73d41fe162..a2250a33af 100644
--- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
+++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
@@ -2536,8 +2536,9 @@ The basic features you get out of the box in a web application are:
 * HTTP Basic security for all other endpoints.
 * Security events published to Spring's `ApplicationEventPublisher` (successful and
   unsuccessful authentication and access denied).
-* Common low-level features (HSTS, XSS, CSRF, caching) provided by Spring Security are
+* Common low-level features (HSTS, XSS, caching) provided by Spring Security are
   on by default.
+* Cross Site Request Forgery (CSRF) checks are disabled by default.
 
 All of the above can be switched on and off or modified using external properties
 (`+security.*+`). To override the access rules without changing any other auto-configured
@@ -2790,6 +2791,7 @@ If the Actuator is also in use, you will find:
 * Security events are transformed into `AuditEvent` instances and published to the
 `AuditEventRepository`.
 * The default user will have the `ACTUATOR` role as well as the `USER` role.
+* Cross Site Request Forgery (CSRF) checks are disabled for actuator endpoints.
 
 The Actuator security features can be modified using external properties
 (`+management.security.*+`). To override the application access rules