All form submissions and POST requests must include Magento’s built-in form key validation. Without Cross-Site Request Forgery (CSRF) tokens, attackers can trick logged-in users into performing unintended actions. Enforcing CSRF checks protects critical workflows like checkout or admin actions.
Cross-Site Request Forgery (CSRF) happens when an attacker tricks a logged-in user into submitting a request they did not intend. For example, clicking a hidden link could cause the user’s browser to perform an admin action like changing settings or deleting data.
Magento uses form keys (CSRF tokens) to make sure each request comes from a real session and not from a forged page. If developers disable or forget this check, attackers can hijack user actions silently. Enforcing CSRF protection is critical for protecting sensitive operations like checkout and admin changes.
# Inspect custom forms in PHTML or layout files
# They should include the form key field:
<input type="hidden" name="form_key" value="<?= $block->getFormKey() ?>" />
# Check controllers for CSRF validation
# Classes should extend \Magento\Framework\App\Action\Action
# and use Magento's CSRF validation pluginsform_key in custom forms.\Magento\Framework\Data\Form\FormKey to generate tokens.<form action="/customer/delete" method="post">
<!-- Missing CSRF token -->
<button type="submit">Delete</button>
</form><form action="/customer/delete" method="post">
<input type="hidden" name="form_key" value="<?= $block->getFormKey() ?>" />
<button type="submit">Delete</button>
</form>