Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Anonymous CSRF Token

494 sites Security covered
View on drupal.org

This module generates and validates CSRF tokens for anonymous users, providing an extra layer of security for forms and actions that don't require user authentication. By default, Drupal only provides CSRF protection for logged-in users, but this module extends that protection to anonymous visitors.

This module generates and validates CSRF tokens for anonymous users.

By default Drupal generates CSRF tokens only for authenticated users.

See also Anonymous forms vulnerable to CSRF not considered a vulnerability and #1803712: Allow form tokens to be used on anonymous forms in some cases.

7.x-1.x

1. Install and activate module
2. Check CSRF token for anonymous users

8.x-1.x

See CSRF Anonymous Token for the Drupal 8 variant of this module's 7.x-1.x branch.

2.x / 3.x

The 2.x release of this module is completely different in design, implementation, and purpose. Version 2.0+ of this module does not wire up anonymous CSRF protection automatically. Rather, you must explicitly wire up each route you wish to protect *.routing.yml and enable CSRF token protection for each route via specifying _anonymous_csrf_token: 'TRUE' in the route's declaration.

You will also need to call this module's AnonymousCsrfTokenGenerator service that wraps the CsrfTokenGenerator from Core in order to complete the implementation:

/** @var \Drupal\anonymous_token\Access\AnonymousCsrfTokenGenerator $csrf_token_service */
$csrf_token_service = \Drupal::service('anonymous_token.csrf_token');

// The path is an optional argument for generating and validating CSRF tokens.
$path = 'example-path';

// Generate a CSRF token.
$csrf_token = $csrf_token_service->get($path);

// Example manual CSRF token validation, if not via the route access checker.
if ($csrf_token_service->validate($csrf_token, $path) === FALSE) {
  throw new AccessDeniedHttpException('Invalid token');
}

Activity

Total releases
2
First release
Jan 2025
Latest release
9 months ago
Releases (12 mo)
1
Maintenance
Active

Releases

Version Type Release date
3.0.0-beta3 Pre-release Sep 24, 2025
3.0.0-beta2 Pre-release Jan 22, 2025