CSRF Protection is enabled by default in TIBCO Spotfire Server but when we execute 'config-csrf-protection' command after exporting default configuration.xml file, it gives output as disabled
 

C:\tibco\tss\7.11.1\tomcat\bin>config export-config
Tool password:
Successfully exported the server configuration to file C:\tibco\tss\7.11.1\tomcat\bin\configuration.xml
------------------------------------------------------------------- 
-------------------------------------------------------------------
C:\tibco\tss\7.11.1\tomcat\bin>config config-csrf-protection
The CSRF protection for the public Web Service API is disabled
The CSRF protection for legacy SOAP clients is disabled

By using option specified in the resolution, you can know whether CSRF protection is actually enabled or disabled.

'config-xxx' commands by default shows current configurations for the documented properties in configuration.xml file. CSRF protection feature is not documented by default in configuration.xml file because CSRF protection is for security purpose and should not be touched in general. As it is not a documented property in configuration.xml file, output of 'config-csrf-protection' command shows it as disabled.

You need to use --verbose option in order to know whether CSRF Protection actually is enabled or disabled.
 

> config config-csrf-protection --verbose

C:\tibco\tss\10.3.0\tomcat\spotfire-bin>config config-csrf-protection --verbose

The CSRF protection is enabled
The CSRF protection for SOAP services is enabled
The CSRF protection for legacy SOAP clients is disabled
Minimum client technical version that supports full CSRF protection: 21.0
Legacy SOAP services: UserDirectoryService.getPrincipal, UserDirectoryService.ge
tGroupsRecursive, LoginService.login
Unprotected SOAP services: LoginService.login

• https://docs.tibco.com/pub/spotfire_server/10.3.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-6E6E5815-5CD1-48E6-9F0B-96541B9FF7C1.html