Merge branch '6.4' into 7.3

javiereguiluz · javiereguiluz · commit 1bd508ea4af1 · 2025-11-13T17:11:54.000+01:00
* 6.4:
  fix default CSRF token input name
diff --git a/security/csrf.rst b/security/csrf.rst
@@ -119,7 +119,7 @@ to do anything to be protected against CSRF attacks.
 
 .. _form-csrf-customization:
 
-By default Symfony adds the CSRF token in a hidden field called ``_csrf_token``, but
+By default Symfony adds the CSRF token in a hidden field called ``_token``, but
 this can be customized (1) globally for all forms and (2) on a form-by-form basis.
 Globally, you can configure it under the ``framework.form`` option:
 
@@ -187,7 +187,7 @@ method of each form::
                 // enable/disable CSRF protection for this form
                 'csrf_protection' => true,
                 // the name of the hidden HTML field that stores the token
-                'csrf_field_name' => '_token',
+                'csrf_field_name' => 'custom_token_name',
                 // an arbitrary string used to generate the value of the token
                 // using a different string for each form improves its security
                 // when using stateful tokens (which is the default)
