Description

It bugs me that I have to disable http_method_override in every symfony project because it defaults to true: https://symfony.com/doc/current/reference/configuration/framework.html#http-method-override
The use-case of this feature is clear: To emulate e.g. PUT or DELETE requests using html forms. But I think the need for this is very uncommon and not modern. Furthermore enabling it opens security gateway if not used with CSRF protection.

So I'm proposing to switch the default value to false in the next major symfony version. For this, we need to deprecate relying on the default value. This should not affect many people as the default recipes already disable this config anyway, see https://github.com/symfony/recipes/blob/master/symfony/framework-bundle/5.4/config/packages/framework.yaml#L5