Anonymous CSRF Token
This module generates and validates CSRF tokens for anonymous users, providing an extra layer of security for forms and actions that don't require user authentication. By default, Drupal only provides CSRF protection for logged-in users, but this module extends that protection to anonymous visitors.
This module generates and validates CSRF tokens for anonymous users.
By default Drupal generates CSRF tokens only for authenticated users.
See also Anonymous forms vulnerable to CSRF not considered a vulnerability and #1803712: Allow form tokens to be used on anonymous forms in some cases.
7.x-1.x
1. Install and activate module
2. Check CSRF token for anonymous users
8.x-1.x
See CSRF Anonymous Token for the Drupal 8 variant of this module's 7.x-1.x branch.
2.x / 3.x
The 2.x release of this module is completely different in design, implementation, and purpose. Version 2.0+ of this module does not wire up anonymous CSRF protection automatically. Rather, you must explicitly wire up each route you wish to protect *.routing.yml and enable CSRF token protection for each route via specifying _anonymous_csrf_token: 'TRUE' in the route's declaration.
You will also need to call this module's AnonymousCsrfTokenGenerator service that wraps the CsrfTokenGenerator from Core in order to complete the implementation:
/** @var \Drupal\anonymous_token\Access\AnonymousCsrfTokenGenerator $csrf_token_service */
$csrf_token_service = \Drupal::service('anonymous_token.csrf_token');
// The path is an optional argument for generating and validating CSRF tokens.
$path = 'example-path';
// Generate a CSRF token.
$csrf_token = $csrf_token_service->get($path);
// Example manual CSRF token validation, if not via the route access checker.
if ($csrf_token_service->validate($csrf_token, $path) === FALSE) {
throw new AccessDeniedHttpException('Invalid token');
}