From faa30fc32ec1a0360baa201db0afd7edcf4861bb Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Sun, 25 May 2025 11:52:44 +0200
Subject: [PATCH] [Security] Stateless CSRF is enabled by default in 7.2

Page: https://symfony.com/doc/current/security/csrf.html#stateless-csrf-tokens

Info is taken from https://github.com/symfony/recipes/blob/main/symfony/form/7.2/config/packages/csrf.yaml
---
 security/csrf.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/csrf.rst b/security/csrf.rst
index b72c7cc2526..07e0671f07b 100644
--- a/security/csrf.rst
+++ b/security/csrf.rst
@@ -331,9 +331,9 @@ Stateless CSRF Tokens
 
 .. versionadded:: 7.2
 
-    Stateless anti-CSRF protection was introduced in Symfony 7.2.
+    Stateless anti-CSRF protection was introduced in Symfony 7.2, and set as default.
 
-By default CSRF tokens are stateful, which means they're stored in the session.
+Traditionally CSRF tokens are stateful, which means they're stored in the session.
 But some token ids can be declared as stateless using the ``stateless_token_ids``
 option: