From a9805fbfc19802b2ea7b824733b31082d35ec293 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 29 Sep 2021 17:34:31 +0200
Subject: [PATCH] NEW The protection MAIN_SECURITY_CSRF_WITH_TOKEN=1 is on by
 default

---
 htdocs/core/class/conf.class.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php
index ec145f89f43..8e43a70c3fe 100644
--- a/htdocs/core/class/conf.class.php
+++ b/htdocs/core/class/conf.class.php
@@ -826,9 +826,10 @@ class Conf
 				$this->global->MAIN_MODULE_DOLISTORE_API_KEY = 'dolistorecatalogpublickey1234567';
 			}
 
-			// If we are in develop mode, we activate the option MAIN_SECURITY_CSRF_WITH_TOKEN to 1 if not already defined.
-			if (!isset($this->global->MAIN_SECURITY_CSRF_WITH_TOKEN) && $this->global->MAIN_FEATURES_LEVEL >= 2) {
-				$this->global->MAIN_SECURITY_CSRF_WITH_TOKEN = 1;
+			// Enable by default the CSRF protection by token.
+			if (!isset($this->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) {
+				$this->global->MAIN_SECURITY_CSRF_WITH_TOKEN = 1;	// Value 2 uses also CSRF check for all GET requests
+				// Note: Set MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL=1 to have a renewal of token at each page call instead of each session (not recommended)
 			}
 
 			if (defined('MAIN_ANTIVIRUS_COMMAND')) {