Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Drupal.

  1. Drupal's Form API adds CSRF tokens automatically to all forms built with the Form API.

  2. Ensure all custom forms extend \Drupal\Core\Form\FormBase and use the standard buildForm/submitForm pattern.

  3. For custom AJAX endpoints, add the '_csrf_token' requirement to the route:

  4. requirements:

  5. _csrf_token: 'TRUE'

  6. For REST endpoints, enable the csrf_token query parameter requirement in your route definition.

Back to top