Cakephp 3.5.6 disable CSRF Middleware for controller

Question

I\'m trying to disable the CSRF check for a single controller (API), but I\'m unable to find how I\'m able to achieve this.

The pre 3.5.0 CSRF Component had the abil

Answer 1

I think in Cake 3.6, you should remove CsrfProtectionMiddleware from middleware:

queue: src/Application.php

     public function middleware($middlewareQueue)
      {
           $middlewareQueue
        // Catch any exceptions in the lower layers,
        // and make an error page/response
        ->add(ErrorHandlerMiddleware::class)

        // Handle plugin/theme assets like CakePHP normally does.
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime')
        ]))

        // Add routing middleware.
        // Routes collection cache enabled by default, to disable route caching
        // pass null as cacheConfig, example: `new RoutingMiddleware($this)`
        // you might want to disable this cache in case your routing is extremely simple
        ->add(new RoutingMiddleware($this, '_cake_routes_'));


        // Add csrf middleware.
        //            ->add(new CsrfProtectionMiddleware([
        //                'httpOnly' => true
        //            ]));

        return $middlewareQueue;
     }