Skip to content

Deprecate the storefront CSRF implementation

Deprecate the storefront CSRF implementation


This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here


  • With browsers evolving and dropping support for older browser in 6.5 we have wide support for SameSite cookies.
  • The current CSRF implementation adds a lot of complexity to all forms and ajax calls in the Storefront.
  • The CSRF protection does not add a great improvement in security due to the SameSite strategy.


  • We remove the CSRF protection in favor of SameSite cookies which are used and prevent CSRF attacks already.


  • All CSRF implementations in the Storefront will be removed.