The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation. ACM is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in web browsers are. ACM  does not manage sessions, each request requires the authentication token in the header.

See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf

So, we can suppress this warning in sonar