diff --git a/service/src/main/java/com/ericsson/eiffel/remrem/generate/config/DisabledSecurityConfig.java b/service/src/main/java/com/ericsson/eiffel/remrem/generate/config/DisabledSecurityConfig.java
index 8685f0a..498a273 100644
--- a/service/src/main/java/com/ericsson/eiffel/remrem/generate/config/DisabledSecurityConfig.java
+++ b/service/src/main/java/com/ericsson/eiffel/remrem/generate/config/DisabledSecurityConfig.java
@@ -34,6 +34,17 @@
 public class DisabledSecurityConfig extends WebSecurityConfigurerAdapter {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.authorizeRequests().anyRequest().permitAll().and().csrf().disable();
+        http.authorizeRequests()
+            .anyRequest()
+            .permitAll()
+            .and()
+            .csrf()
+            // The application uses non-browser clients. Yes, there is swagger interface,
+            // but is's used only for testing/tuning.
+            //
+            // From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html
+            // "If you are creating a service that is used only by non-browser clients,
+            //  you likely want to disable CSRF protection."
+            .disable();
     }
 }