From 9445e5508b54a155f1c567fca33f947dd0911fbb Mon Sep 17 00:00:00 2001
From: Alexey Rogachev <arogachev90@gmail.com>
Date: Tue, 11 Apr 2017 05:05:36 +0600
Subject: [PATCH] Fixes #10675: Added docs for disabling CSRF validation in
 standalone actions

---
 docs/guide/security-best-practices.md | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/docs/guide/security-best-practices.md b/docs/guide/security-best-practices.md
index baeba0728c7..7ecb2733fae 100644
--- a/docs/guide/security-best-practices.md
+++ b/docs/guide/security-best-practices.md
@@ -209,11 +209,36 @@ class SiteController extends Controller
 }
 ```
 
+Disabling CSRF validation in [standalone actions](structure-controllers.md#standalone-actions) must be done in `init()`
+method. Do not place this code into `beforeRun()` method because it won't have effect.
+
+```php
+<?php
+
+namespace app\components;
+
+use yii\base\Action;
+
+class ContactAction extends Action
+{
+    public function run()
+    {
+          $model = new ContactForm();
+          $request = Yii::$app->request;
+          if ($request->referrer === 'yiipowered.com'
+              && $model->load($request->post())
+              && $model->validate()
+          ) {
+              $model->sendEmail();
+          }
+    }
+}
+```
+
 Further reading on the topic:
 
 - <https://www.owasp.org/index.php/CSRF>
 
-
 Avoiding file exposure
 ----------------------