@@ -109,22 +109,28 @@ CSRF Protection in Login Forms
109109See :doc: `/security/form_login_setup ` for a login form that is protected from
110110CSRF attacks.
111111
112- CSRF Protection in HTML Forms
113- -----------------------------
112+ .. _csrf-protection-in-html-forms :
113+
114+ Generating and Checking CSRF Tokens Manually
115+ --------------------------------------------
114116
115117.. versionadded :: 4.1
118+
116119 In Symfony versions prior to 4.1, CSRF support required installing the
117120 Symfony Form component even if you didn't use it.
118121
119- It's also possible to add CSRF protection to regular HTML forms not managed by
120- the Symfony Form component, for example the simple forms used to delete items.
121- First, use the ``csrf_token() `` function in the Twig template to generate a CSRF
122- token and store it as a hidden field of the form:
122+ Although Symfony Forms provide automatic CSRF protection by default, you may
123+ need to generate and check CSRF tokens manually for example when using regular
124+ HTML forms not managed by the Symfony Form component.
125+
126+ Consider a simple HTML form created to allow deleting items. First, use the
127+ :ref: `csrf_token() Twig function <reference-twig-function-csrf-token >` to
128+ generate a CSRF token in the template and store it as a hidden form field:
123129
124130.. code-block :: twig
125131
126132 <form action="{{ url('admin_post_delete', { id: post.id }) }}" method="post">
127- {# the argument of csrf_token() is an arbitrary value used to generate the token #}
133+ {# the argument of csrf_token() is an arbitrary string used to generate the token #}
128134 <input type="hidden" name="token" value="{{ csrf_token('delete-item') }}" />
129135
130136 <button type="submit">Delete item</button>
0 commit comments