6.4 (current)

Deprecate csrf

This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here


  • With browsers evolving and dropping support for older browser in 6.5 we have wide support for SameSite cookies.
  • The current CSRF implementation adds a lot of complexity to all forms and ajax calls in the Storefront.
  • The CSRF protection does not add a great improvement in security due to the SameSite strategy.


  • We remove the CSRF protection in favor of SameSite cookies which are used and prevent CSRF attacks already.


  • All CSRF implementations in the Storefront will be removed.