diff --git a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
index 7afa030afd..d1f04a68d5 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
@@ -56,7 +56,7 @@ protected void configure(HttpSecurity http) throws Exception {
             .authenticated()
             .anyRequest()
             .permitAll();
-    security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
+    security.and().csrf().formLogin().loginPage("/login").failureUrl("/login?error=true");
     security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
     security.and().logout().permitAll();
   }