Correct method to pass Zap Absence of Anti-CSRF Tokens test for newsletter signup form

Question

I have a public facing form that, I believe, does not need CSRF protection. It is just a newsletter signup form. But when we run Zap Pen Test on it we get the following error:

No Anti-CSRF tokens were found in a HTML submission form.

Evidence:
<form data-cookie-name="newsletter" data-marketo-id="1031" id="newsletterForm" class="form-horizontal" ng-submit="submit(newsletterForm)" ng-controller="NewsletterSignupController" name="newsletterForm">

This newsletter uses Angular as a controller and we are doing a POST in the controller to send the email to the server.

Questions:

1. Do I really need to implement CSRF tokens on a public facing Form? If not, how do I get the Pen Test to pass without this error?

Answer 1

• Well you can mark it false positive (in the GUI or via the API).
• You can setup an Alert Filter to set it False Posituve.
• You can set a rule configuration to ignore the form in question.

Whether you need to prevent CSRF on the form is a business owner question. Are there processing concerns? Are there concerns around complaints or reputational damage?