Why auth0 disables CSRF in Spring Security?

I saw in the auth0-spring-security-api library and also in this blog that it disables CSRF:

.csrf().disable()

Why does it do that?

I think this is because there is no session maintained and the bad website won’t have a valid token to pass in the headers. And that’s why CSRF is not required if we are using JWT auth. Am I right?

1 Like