The security advisories list contains many fixed CSRF vulnerabilities. It proves that it is easy to forget to add CSRF protection on GET routes that do sensitive actions.
It is easy to create a route and simply forget to add CSRF protection to it.
Adding CSRF tokens to every GET route would not be a good idea, it is only needed on routes that modify config or entities.
But maybe we could make it required to specify explicitly on each route whether it needs CSRF token. (Similar for what we do for access checks on entity queries.)
This would force developers to think about it.
(Routes that return a form are already protected from CSRF attacks automatically and would not need this.)
An alternative approach would be to forbid sensitives actions in GET requests ( 📌 CSRF tokens in GET requests can be leaked and reused; stop encouraging server-site state changes with GET requests Active ) but I don't think this would be easy to do.
Active
11.1 🔥
routing system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies → .
Requiring the flag to be set could work, we'd need to deprecate not having it set first, and probably require it in Drupal 13 because there are a lot more routes out there than entity queries.