I'm trying to understand the Apache Wicket 9.1 documentation what comes to CSRF protection. https://ci.apache.org/projects/wicket/guide/9.x/single.html#_csrf_protection
I'm not totally sure if the CSRF protection is enabled by default for actions? Or, does that require that I will introduce a ResourceIsolationRequestCycleLister in my WicketApplication and only after that the actions are CSRF protected?
@Override
protected void init() {
super.init();
getRequestCycleListeners().add(new ResourceIsolationRequestCycleListener());
// ...
}
the later part is true, i.e. only after introducing ResourceIsolationRequestCycleLister in your application the actions are CSRF protected while page request are not checked.