I’ve been reading about CSRF within Yii 2 and I read that it can be turned on or off. If I am seeing hidden fields and meta tags with the CSRF tokens does that mean that it’s on? I thought it was off by default?
Also, does Yii handle the CSRF checks automatically or do you have to manually check the POST’ed token matches the one in the cookie?