How to Implement CSRF Protection (Symfony Docs) | form csrf
CSRF-orCross-siterequestforgery[1]-isamethodbywhichamalicioususerattemptstomakeyourlegitimateusersunknowinglysubmitdatathattheydontintendtosubmit.CSRFprotectionworksbyaddingahiddenfieldtoyourformthatcontainsavaluethatonlyyouandyouruserknow.Thisensuresthattheuser-notsomeotherentity-issubmittingthegivendata.BeforeusingtheCSRFprotection,installitinyourproject:Then,enable/disabletheCSRFprotectionwiththecsrf_protectionoption(seetheCSRFconfigurationreference[2]formoreinformation):ThetokensusedforC...
CSRF - or Cross-site request forgery[1] - is a method by which a malicious user attempts to make your legitimate users unknowingly submit data that they dont intend to submit.
CSRF protection works by adding a hidden field to your form that contains a value that only you and your user know. This ensures that the user - not some other entity - is submitting the given data.
Before using the CSRF protection, install it in your project:
Then, enable/disable the CSRF protection with the csrf_protection option (see the CSRF configuration reference[2] for more information):
The tokens used for CSRF protection are meant to be different for every user and they are stored in the session. Thats why a session is started automatically as soon as you render a form with CSRF protection.
Moreover, this means that you cannot fully cache pages that include CSRF protected forms. As an alternative, you can:
Embed the form inside an uncached ESI fragment[3] an...