Spring Security is coming out of the box with a protection against CSRF attacks. With 4.0, this protection is even enabled by default. Spring's recommendation is to "use CSRF protection for any request that could be processed by a browser by normal users". So there is no reason to disable it for standard web applications.

Recommended Secure Coding Practices

Noncompliant Code Example

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
	  http.csrf().disable(); // Noncompliant
	}
}

See