Keep Symfony CSRF enabled on state-changing form flows
Symfony forms and controllers handling state changes should not disable CSRF protection without a clear API token boundary.
#Metadata
#Why it matters
Disabling CSRF for authenticated browser flows enables cross-site request forgery on sensitive actions.
#Remediation
Keep CSRF enabled for browser forms/controllers and only exempt endpoints that are explicitly authenticated by signed tokens.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.symfony-csrf-disabled.rule.yaml.