minor #20994 [Security] Stateless CSRF is enabled by default in 7.2 (ThomasLandauer)

javiereguiluz · javiereguiluz · commit 0e258f755b54 · 2025-05-27T08:24:33.000+02:00
This PR was merged into the 7.2 branch. Discussion ---------- [Security] Stateless CSRF is enabled by default in 7.2 Page: https://symfony.com/doc/current/security/csrf.html#stateless-csrf-tokens Info is taken from https://github.com/symfony/recipes/blob/main/symfony/form/7.2/config/packages/csrf.yaml Commits ------- faa30fc [Security] Stateless CSRF is enabled by default in 7.2
diff --git a/security/csrf.rst b/security/csrf.rst
@@ -331,9 +331,9 @@ Stateless CSRF Tokens
 
 .. versionadded:: 7.2
 
-    Stateless anti-CSRF protection was introduced in Symfony 7.2.
+    Stateless anti-CSRF protection was introduced in Symfony 7.2, and set as default.
 
-By default CSRF tokens are stateful, which means they're stored in the session.
+Traditionally CSRF tokens are stateful, which means they're stored in the session.
 But some token ids can be declared as stateless using the ``stateless_token_ids``
 option:
 
