Skip to content
Snippets Groups Projects
Select Git revision
  • master
  • symfony5
  • update_php
  • replace_internal_classes
  • fixes_for_symfony4.4
  • maintenance-end
  • old-versions-support-drop
  • security-fix
  • 2.2.1
  • 1.3
  • 1.2
  • 1.0
  • 1.1
  • v2.3.5
  • v2.3.4
  • v2.3.3
  • v2.3.2
  • v2.3.0
  • v2.2.4
  • v2.2.3
  • v2.2.2
  • v2.2.1
  • v2.2.0
  • v2.1.0
  • v1.3.6
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1
  • v2.0.0
  • v1.3.5
  • v1.3.4
  • v1.3.3
33 results

form_no_csrf.rst

Blame
    • user avatar
    use https whenever possible
    Fabien Potencier authored
    1c86d1a8
    History
    user avatar 1c86d1a8
    History
    form_no_csrf.rst 1.53 KiB

    Disabling CSRF Protection on a Form using the FormExtension

    The FormExtension provides a service for building form in your application with the Symfony Form component. When the :doc:`CSRF Service Provider </providers/csrf>` is registered, the FormExtension uses the CSRF Protection avoiding Cross-site request forgery, a method by which a malicious user attempts to make your legitimate users unknowingly submit data that they don't intend to submit.

    You can find more details about CSRF Protection and CSRF token in the Symfony Book.

    In some cases (for example, when embedding a form in an html email) you might want not to use this protection. The easiest way to avoid this is to understand that it is possible to give specific options to your form builder through the createBuilder() function.

    Example

    $form = $app['form.factory']->createBuilder('form', null, array('csrf_protection' => false));

    That's it, your form could be submitted from everywhere without CSRF Protection.

    Going further

    This specific example showed how to change the csrf_protection in the $options parameter of the createBuilder() function. More of them could be passed through this parameter, it is as simple as using the Symfony getDefaultOptions() method in your form classes. See more here.