Reworded the CSRF article to better explain how to install and enable/disable it

javiereguiluz · javiereguiluz · commit 3695b0d3eeba · 2018-01-31T08:58:15.000+01:00
diff --git a/security/csrf.rst b/security/csrf.rst
@@ -12,24 +12,57 @@ CSRF protection works by adding a hidden field to your form that contains a
 value that only you and your user know. This ensures that the user - not some
 other entity - is submitting the given data.
 
-Before enabling the CSRF protection, install the CSRF support in your project
-(which in turn requires installing the Symfony Form component):
+Before using the CSRF protection, install it in your project (which in turn
+requires installing the Symfony Form component):
 
 .. code-block:: terminal
 
     $ composer require security-csrf form
 
+Then, enable/disable the CSRF protection with the ``csrf_protection`` option.
+(see the :ref:`CSRF configuration reference <reference-framework-csrf-protection>`
+for more information):
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/framework.yaml
+        framework:
+            # ...
+            csrf_protection: ~
+
+    .. code-block:: xml
+
+        <!-- config/packages/framework.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony
+                http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <framework:csrf-protection enabled="true" />
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/framework.php
+        $container->loadFromExtension('framework', array(
+            'csrf_protection' => null,
+        ));
+
 CSRF Protection in Symfony Forms
 --------------------------------
 
 Forms created with the Symfony Form component include CSRF tokens by default
 and Symfony checks them automatically, so you don't have to anything to be
 protected against CSRF attacks.
 
-This automatic protection is enabled/disabled with the ``csrf_protection`` option
-in the ``config/packages/framework.yaml`` file. For more information, see the
-:ref:`CSRF configuration reference <reference-framework-csrf-protection>`.
-
 .. _form-csrf-customization:
 
 By default Symfony adds the CSRF token in a hidden field called ``_token``, but
