From 6d7c87f8eaea42c26004206fd1dc465df44e29cd Mon Sep 17 00:00:00 2001
From: Oviglo <ovigne.loic@gmail.com>
Date: Mon, 24 Mar 2025 10:51:29 +0100
Subject: [PATCH] [Security] Add methods param doc for isCsrfTokenValid
 attribute

---
 security/csrf.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/security/csrf.rst b/security/csrf.rst
index be8348597c7..fa15cee3db3 100644
--- a/security/csrf.rst
+++ b/security/csrf.rst
@@ -288,6 +288,15 @@ object evaluated to the id::
         // ... do something, like deleting an object
     }
 
+You can use the ``methods`` parameter to the attribute to specify the HTTP methods that are allowed for
+the token validation, :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid` is ignored for other methods. By default, the attribute allows all methods::
+
+    #[IsCsrfTokenValid('delete-item', tokenKey: 'token', methods: ['DELETE'])]
+    public function delete(Post $post): Response
+    {
+        // ... delete the object
+    }
+
 .. versionadded:: 7.1
 
     The :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid`