ktorio · bjhham · Jan 26, 2024
diff --git a/...er/ktor-server-plugins/ktor-server-csrf/jvmAndNix/src/io/ktor/server/plugins/csrf/CSRF.kt b/...er/ktor-server-plugins/ktor-server-csrf/jvmAndNix/src/io/ktor/server/plugins/csrf/CSRF.kt
@@ -38,6 +38,11 @@ public val CSRF: RouteScopedPlugin<CSRFConfig> = createRouteScopedPlugin("CSRF",
     val headerChecks = pluginConfig.headerChecks
     val onFailure = pluginConfig.handleFailure
 
+    if (!checkHost && allowedOrigins.isEmpty() && headerChecks.isEmpty()) {
+        application.log.warn("No validation options provided for CSRF plugin - requests will not be verified!")
+        return@createRouteScopedPlugin
+    }
+
     onCall { call ->
 
         if (call.request.httpMethod in setOf(HttpMethod.Get, HttpMethod.Head, HttpMethod.Options)) {

diff --git a/...or-server-plugins/ktor-server-csrf/jvmAndNix/test/io/ktor/server/plugins/csrf/CSRFTest.kt b/...or-server-plugins/ktor-server-csrf/jvmAndNix/test/io/ktor/server/plugins/csrf/CSRFTest.kt
@@ -10,6 +10,7 @@ import io.ktor.http.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
 import io.ktor.server.testing.*
+import org.slf4j.*
 import kotlin.test.*
 
 class CSRFTest {
@@ -216,6 +217,26 @@ class CSRFTest {
         }
     }
 
+    @Test
+    fun logsWarningWhenMisconfigured() {
+        val warnings = mutableListOf<String>()
+        val testLogger = object : Logger by LoggerFactory.getLogger("") {
+            override fun warn(message: String?) {
+                message?.let(warnings::add)
+            }
+        }
+        testApplication {
+            environment {
+                log = testLogger
+            }
+            install(CSRF)
+        }
+        assertEquals(
+            "No validation options provided for CSRF plugin - requests will not be verified!",
+            warnings.firstOrNull()
+        )
+    }
+
     private fun ApplicationTestBuilder.configureCSRF(csrfOptions: CSRFConfig.() -> Unit) {
         routing {
             route("/csrf") {