Hi,
Is it necessary to include a csrf token in a site search form which uses get rather than post (obviously), given that on each page we aleady have a token in the head of the document?
If we should use a token in the form is it ok to display this in the url when the form is submitted via get?
I’m using the Html helper for the form eg
<?= Html::beginForm(Url::to(['/search']),'get',['class'=>'search']);?>
<?= Html::input('hidden',Yii::$app->request->csrfParam,Yii::$app->request->csrfToken)?>
<?= Html::input('text','search',null,['placeholder'=> 'Search...'])?>
<?= Html::submitButton('GO')?>
Many thanks!