@@ -100,6 +100,17 @@ CSRF Protection in Symfony Forms
100100checks them automatically for you. So, when using Symfony Forms, you don't have
101101to do anything to be protected against CSRF attacks.
102102
103+ .. note ::
104+
105+ According to `OWASP best practices `_, CSRF protection is only required for
106+ **state-changing operations **, which must not use ``GET `` requests (as per the
107+ HTTP specification). Moreover, including CSRF tokens in ``GET `` request
108+ parameters can cause them to leak through browser history, log files, network
109+ utilities, and Referer headers.
110+
111+ If one of your forms uses GET (for example, a read-only search form), you
112+ can :ref: `configure the form to disable CSRF protection <form-csrf-configuration >`.
113+
103114.. _form-csrf-customization :
104115
105116By default Symfony adds the CSRF token in a hidden field called ``_token ``, but
@@ -130,6 +141,8 @@ Globally, you can configure it under the ``framework.form`` option:
130141 ;
131142 };
132143
144+ form-csrf-configuration :
145+
133146On a form-by-form basis, you can configure the CSRF protection in the ``setDefaults() ``
134147method of each form::
135148
@@ -436,6 +449,7 @@ validation has been proven effective, it remains enforced for that session.
436449 fall back to ``Origin `` / ``Referer `` checks when JavaScript is unavailable.
437450
438451.. _`Cross-site request forgery` : https://en.wikipedia.org/wiki/Cross-site_request_forgery
452+ .. _`OWASP best practices` : https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
439453.. _`BREACH` : https://en.wikipedia.org/wiki/BREACH
440454.. _`CRIME` : https://en.wikipedia.org/wiki/CRIME
441455.. _`some JavaScript` : https://github.com/symfony/recipes/blob/main/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
0 commit comments