include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://laravel.com/docs/8.x/csrf#csrf-excluding-uris[Laravel VerifyCsrfToken middleware]


----
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    protected $except = [
        'api/*'
    ]; // Sensitive; disable CSRF protection for a list of routes
}
----

For https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-symfony-forms[Symfony Forms]


----
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class Controller extends AbstractController {

  public function action() {
    $this->createForm('', null, [
      'csrf_protection' => false, // Sensitive; disable CSRF protection for a single form
    ]);
  }
}
----

== Compliant Solution

For https://laravel.com/docs/8.x/csrf#csrf-excluding-uris[Laravel VerifyCsrfToken middleware]


----
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    protected $except = []; // Compliant
}
----
Remember to add https://laravel.com/docs/8.x/blade#csrf-field[@csrf] blade directive to the relevant forms when removing an element from $except. Otherwise the form submission will stop working.


For https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-symfony-forms[Symfony Forms]


----
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class Controller extends AbstractController {

  public function action() {
    $this->createForm('', null, []); // Compliant; CSRF protection is enabled by default
  }
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]