I been working in a project with JSF 2.2 and a requeriment is to pass the Acunetix vulnerabilities validation.
I active protected-views (https://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html) but still the validator says that the site isnt protected for CSRF attacks.
In the documentation says that I need a input hidden for POST request, but in JSF 2.2 says that with protected-views activated its Ok.
Do you know how to solve this problem? Do you have an implementation to solve this?
