As explained in Upgrading to Jenkins LTS 2.222.x :
Jenkins will automatically enable CSRF protection with the default crumb issuer if it was disabled before. The ability to not have CSRF protection enabled has been deprecated and removed from the UI.
Currently, to be able to disable the functionality, it is required to use the parameter
-Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true on startup to disable CSRF protection.