Warn when using _csrf_request_header_token on a GET route [#3585888]

Problem/Motivation

The _csrf_request_header_token requirement does nothing on GET/HEAD/OPTIONS/TRACE routes.
This is documented here but it is easy to miss: https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...

A dev could add this requirement on a route that supports multiple methods, only test with a POST request and not notice that the route is not protected when using GET.

Steps to reproduce

Create a route like this:

test:
  path: '/test_csrf_foo'
  methods: [ 'GET', 'POST' ]
  defaults:
    _controller: '\Drupal\test\Controller\TestController::test'
    _title: 'Hello World'
  requirements:
    _permission: 'access content'
    _csrf_request_header_token: 'TRUE'

Test with a GET request: the token is not required.

Proposed resolution

Maybe log something when CsrfRequestHeaderAccessCheck::access() returns allowed because of the method.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

Comment #1

20 April 2026 at 22:08

prudloff created an issue.

Warn when using _csrf_request_header_token on a GET route

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

Comment #1

News items

Our community

Documentation

Drupal code base

Governance of community