Merge branch '7.2' into 7.3

javiereguiluz · javiereguiluz · commit e1dd12ee29e0 · 2025-05-27T08:40:57.000+02:00
* 7.2:
  Minor tweak
  [Security] Stateless CSRF is enabled by default in 7.2
diff --git a/security/csrf.rst b/security/csrf.rst
@@ -348,9 +348,10 @@ Stateless CSRF Tokens
 
     Stateless anti-CSRF protection was introduced in Symfony 7.2.
 
-By default CSRF tokens are stateful, which means they're stored in the session.
-But some token ids can be declared as stateless using the ``stateless_token_ids``
-option:
+Traditionally, CSRF tokens are stateful, meaning they're stored in the session.
+However, some token IDs can be declared as stateless using the
+``stateless_token_ids`` option. Stateless CSRF tokens are enabled by default
+in applications using :ref:`Symfony Flex <symfony-flex>`.
 
 .. configuration-block::
 
