If CSRFGuard is disabled:
- The configurations should be lazily initialized: e.g. no validations, no class instances creation with reflection etc.
- No tokens should be (pre)created by the onSessionCreate
- The JavaScriptServlet should not serve the regular JS file that makes an additional request, tries to inject tokens to DOM elements and so on.
If CSRFGuard is disabled: