Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I think it would be a good idea to enable CSRF on all comment forms, even if anonymous users have the 'post comments' privilege.
I don't see a compelling reason not to add it.
Otherwise if a drupal site is configured with anonymous commenting it just leads to lots of spam (and there are plenty of legitimate reason not to hand out accounts to users of your site).
Comments