I saw in the auth0-spring-security-api library and also in this blog that it disables CSRF:
.csrf().disable()
Why does it do that?
I think this is because there is no session maintained and the bad website won’t have a valid token to pass in the headers. And that’s why CSRF is not required if we are using JWT auth. Am I right?