From f97b8d59f092fcbc14ea54daa9b59adfb33093ce Mon Sep 17 00:00:00 2001
From: Santiago San Martin <sanmartindev@gmail.com>
Date: Sun, 18 May 2025 11:52:46 -0300
Subject: [PATCH] [Security] iscsrftokenvalid-attribute-controller-usage

---
 security/csrf.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/security/csrf.rst b/security/csrf.rst
index b303af9511b..cc1ab42482d 100644
--- a/security/csrf.rst
+++ b/security/csrf.rst
@@ -281,6 +281,20 @@ Suppose you want a CSRF token per item, so in the template you have something li
         <button type="submit">Delete item</button>
     </form>
 
+In addition :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid`
+attribute can be applied to a controller class.
+This will cause the CSRF token validation to be executed for all routes defined within the controller::
+
+    use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+    use Symfony\Component\Security\Http\Attribute\IsCsrfTokenValid;
+    // ...
+
+    #[IsCsrfTokenValid('controller')]
+    final class FooController extends AbstractController
+    {
+        // ...
+    }
+
 The :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid`
 attribute also accepts an :class:`Symfony\\Component\\ExpressionLanguage\\Expression`
 object evaluated to the id::