You are browsing the Symfony 4 documentation, which changes significantly from Symfony 3.x. If your app doesn't use Symfony 4 yet, browse the Symfony 3.4 documentation.

How to Implement CSRF Protection

4.1 version

How to Implement CSRF Protection

CSRF - or Cross-site request forgery - is a method by which a malicious user attempts to make your legitimate users unknowingly submit data that they don't intend to submit.

CSRF protection works by adding a hidden field to your form that contains a value that only you and your user know. This ensures that the user - not some other entity - is submitting the given data.

Before using the CSRF protection, install it in your project:

1
$ composer require symfony/security-csrf

Then, enable/disable the CSRF protection with the csrf_protection option (see the CSRF configuration reference for more information):

  • YAML
    1
    2
    3
    4
    # config/packages/framework.yaml
    framework:
        # ...
        csrf_protection: ~
    
  • XML
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    <!-- config/packages/framework.xml -->
    <?xml version="1.0" encoding="UTF-8" ?>
    <container xmlns="http://symfony.com/schema/dic/services"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:framework="http://symfony.com/schema/dic/symfony"
        xsi:schemaLocation="http://symfony.com/schema/dic/services
            http://symfony.com/schema/dic/services/services-1.0.xsd
            http://symfony.com/schema/dic/symfony
            http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
    
        <framework:config>
            <framework:csrf-protection enabled="true" />
        </framework:config>
    </container>
    
  • PHP
    1
    2
    3
    4
    // config/packages/framework.php
    $container->loadFromExtension('framework', array(
        'csrf_protection' => null,
    ));
    

CSRF Protection in Symfony Forms

Forms created with the Symfony Form component include CSRF tokens by default and Symfony checks them automatically, so you don't have to do anything to be protected against CSRF attacks.

By default Symfony adds the CSRF token in a hidden field called _token, but this can be customized on a form-by-form basis:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// ...
use App\Entity\Task;
use Symfony\Component\OptionsResolver\OptionsResolver;

class TaskType extends AbstractType
{
    // ...

    public function configureOptions(OptionsResolver $resolver)
    {
        $resolver->setDefaults(array(
            'data_class'      => Task::class,
            // enable/disable CSRF protection for this form
            'csrf_protection' => true,
            // the name of the hidden HTML field that stores the token
            'csrf_field_name' => '_token',
            // an arbitrary string used to generate the value of the token
            // using a different string for each form improves its security
            'csrf_token_id'   => 'task_item',
        ));
    }

    // ...
}

Caution

Since the token is stored in the session, a session is started automatically as soon as you render a form with CSRF protection.

Caution

CSRF tokens are meant to be different for every user. Beware of that when caching pages that include forms containing CSRF tokens. For more information, see Caching Pages that Contain CSRF Protected Forms.

CSRF Protection in Login Forms

Login CSRF attacks can be prevented using the same technique of adding hidden CSRF tokens into the login forms. The Security component already provides CSRF protection, but you need to configure some options before using it.

Tip

If you're using a Guard Authenticator, you'll need to validate the CSRF token manually inside of that class. See Adding CSRF Protection for details.

First, configure the CSRF token provider used by the form login in your security configuration. You can set this to use the default provider available in the security component:

  • YAML
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    # config/packages/security.yaml
    security:
        # ...
    
        firewalls:
            secured_area:
                # ...
                form_login:
                    # ...
                    csrf_token_generator: security.csrf.token_manager
    
  • XML
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    <!-- config/packages/security.xml -->
    <?xml version="1.0" encoding="UTF-8" ?>
    <srv:container xmlns="http://symfony.com/schema/dic/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:srv="http://symfony.com/schema/dic/services"
        xsi:schemaLocation="http://symfony.com/schema/dic/services
            http://symfony.com/schema/dic/services/services-1.0.xsd">
    
        <config>
            <!-- ... -->
    
            <firewall name="secured_area">
                <!-- ... -->
                <form-login csrf-token-generator="security.csrf.token_manager" />
            </firewall>
        </config>
    </srv:container>
    
  • PHP
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    // config/packages/security.php
    $container->loadFromExtension('security', array(
        // ...
    
        'firewalls' => array(
            'secured_area' => array(
                // ...
                'form_login' => array(
                    // ...
                    'csrf_token_generator' => 'security.csrf.token_manager',
                ),
            ),
        ),
    ));
    

Then, use the csrf_token() function in the Twig template to generate a CSRF token and store it as a hidden field of the form. By default, the HTML field must be called _csrf_token and the string used to generate the value must be authenticate:

  • Twig
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    {# templates/security/login.html.twig #}
    
    {# ... #}
    <form action="{{ path('login') }}" method="post">
        {# ... the login fields #}
    
        <input type="hidden" name="_csrf_token"
            value="{{ csrf_token('authenticate') }}"
        >
    
        <button type="submit">login</button>
    </form>
    
  • PHP
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    <!-- templates/security/login.html.php -->
    
    <!-- ... -->
    <form action="<?php echo $view['router']->path('login') ?>" method="post">
        <!-- ... the login fields -->
    
        <input type="hidden" name="_csrf_token"
            value="<?php echo $view['form']->csrfToken('authenticate') ?>"
        >
    
        <button type="submit">login</button>
    </form>
    

After this, you have protected your login form against CSRF attacks.

Tip

You can change the name of the field by setting csrf_parameter and change the token ID by setting csrf_token_id in your configuration:

  • YAML
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    # config/packages/security.yaml
    security:
        # ...
    
        firewalls:
            secured_area:
                # ...
                form_login:
                    # ...
                    csrf_parameter: _csrf_security_token
                    csrf_token_id: a_private_string
    
  • XML
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    <!-- config/packages/security.xml -->
    <?xml version="1.0" encoding="UTF-8" ?>
    <srv:container xmlns="http://symfony.com/schema/dic/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:srv="http://symfony.com/schema/dic/services"
        xsi:schemaLocation="http://symfony.com/schema/dic/services
            http://symfony.com/schema/dic/services/services-1.0.xsd">
    
        <config>
            <!-- ... -->
    
            <firewall name="secured_area">
                <!-- ... -->
                <form-login csrf-parameter="_csrf_security_token"
                    csrf-token-id="a_private_string"
                />
            </firewall>
        </config>
    </srv:container>
    
  • PHP
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    // config/packages/security.php
    $container->loadFromExtension('security', array(
        // ...
    
        'firewalls' => array(
            'secured_area' => array(
                // ...
                'form_login' => array(
                    // ...
                    'csrf_parameter' => '_csrf_security_token',
                    'csrf_token_id'  => 'a_private_string',
                ),
            ),
        ),
    ));
    

CSRF Protection in HTML Forms

New in version 4.1: In Symfony versions prior to 4.1, CSRF support required installing the Symfony Form component even if you didn't use it.

It's also possible to add CSRF protection to regular HTML forms not managed by the Symfony Form component, for example the simple forms used to delete items. First, use the csrf_token() function in the Twig template to generate a CSRF token and store it as a hidden field of the form:

1
2
3
4
5
6
<form action="{{ url('admin_post_delete', { id: post.id }) }}" method="post">
    {# the argument of csrf_token() is an arbitrary value used to generate the token #}
    <input type="hidden" name="token" value="{{ csrf_token('delete-item') }}" />

    <button type="submit">Delete item</button>
</form>

Then, get the value of the CSRF token in the controller action and use the isCsrfTokenValid() to check its validity:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
use Symfony\Component\HttpFoundation\Request;
// ...

public function delete(Request $request)
{
    $submittedToken = $request->request->get('token');

    // 'delete-item' is the same value used in the template to generate the token
    if ($this->isCsrfTokenValid('delete-item', $submittedToken)) {
        // ... do something, like deleting an object
    }
}

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.