Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

anonymous_token

436 sites Security covered
View on drupal.org

This module generates and validates CSRF tokens for anonymous users.

By default Drupal generates CSRF tokens only for authenticated users.

See also Anonymous forms vulnerable to CSRF not considered a vulnerability and #1803712: Allow form tokens to be used on anonymous forms in some cases.

7.x-1.x

1. Install and activate module
2. Check CSRF token for anonymous users

8.x-1.x

See CSRF Anonymous Token for the Drupal 8 variant of this module's 7.x-1.x branch.

2.x / 3.x

The 2.x release of this module is completely different in design, implementation, and purpose. Version 2.0+ of this module does not wire up anonymous CSRF protection automatically. Rather, you must explicitly wire up each route you wish to protect *.routing.yml and enable CSRF token protection for each route via specifying _anonymous_csrf_token: 'TRUE' in the route's declaration.

You will also need to call this module's AnonymousCsrfTokenGenerator service that wraps the CsrfTokenGenerator from Core in order to complete the implementation:

/** @var \Drupal\anonymous_token\Access\AnonymousCsrfTokenGenerator $csrf_token_service */
$csrf_token_service = \Drupal::service('anonymous_token.csrf_token');

// The path is an optional argument for generating and validating CSRF tokens.
$path = 'example-path';

// Generate a CSRF token.
$csrf_token = $csrf_token_service->get($path);

// Example manual CSRF token validation, if not via the route access checker.
if ($csrf_token_service->validate($csrf_token, $path) === FALSE) {
  throw new AccessDeniedHttpException('Invalid token');
}

Activity

Total releases
2
First release
Jan 2025
Latest release
6 months ago
Release cadence
245 days
Stability
0% stable

Releases

Version Type Release date
3.0.0-beta3 Pre-release Sep 24, 2025
3.0.0-beta2 Pre-release Jan 22, 2025