From the discussion in https://github.com/symfony/symfony/issues/18115 : we should add the Double Submit Cookies CSRF prevention strategy as described by https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet#Double_Submit_Cookies If doable, this should be the default CSRF prevention strategy used in symfony SE