diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst
index 05d707e370d..01752fbe950 100644
--- a/reference/configuration/framework.rst
+++ b/reference/configuration/framework.rst
@@ -20,11 +20,14 @@ Configuration
 * `ide`_
 * `test`_
 * `trusted_proxies`_
-* `form`_
-    * enabled
 * `csrf_protection`_
     * enabled
-    * field_name
+    * field_name (deprecated)
+* `form`_
+    * enabled
+    * csrf_protection
+        * enabled
+        * field_name
 * `session`_
     * `name`_
     * `cookie_lifetime`_
@@ -452,12 +455,16 @@ Full Default Configuration
             test:                 ~
             default_locale:       en
 
+            csrf_protection:
+                enabled:              false
+                field_name:           _token # Deprecated since 2.4, to be removed in 3.0. Use form.csrf_protection.field_name instead
+
             # form configuration
             form:
                 enabled:              false
-            csrf_protection:
-                enabled:              false
-                field_name:           _token
+                csrf_protection:
+                    enabled:              true
+                    field_name:           ~
 
             # esi configuration
             esi: