Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Drupal core provides CSRF protection to all forms for authenticated users. However, several forms are shown to anonymous users and are not protected with anti-CSRF tokens.
Drupal's anti-CSRF token works by combining information that is secret to the site, the action, and the individual user into a hashed value sent in the HTML of the page. That token must be sent back with the form POST to validate that it is not a CSRF-submission. Generating tokens for anonymous users would require running php code and generating sessions for anonymous users. Most Drupal sites use a page cache built into Drupal and many sites use an HTML cache (such as Varnish) which prevents the generation of a per-user token inside of forms.
The ability to submit a login or search form via CSRF is not itself a weakness. It can be leveraged to make certain kinds of attacks more effective (e.g. a phishing attack).
Fixing this problem could be done in a contributed module. The Seckit module for example offers HTTP Origin header checks on POST requests which is also listed as a measure in the OWASP CSRF prevention cheat sheet. There is also a Drupal core issue to potentially address anonymous form CSRF protection in a future version of Drupal.
