I have just discovered that the CSRF component is now separate from the security one and needs to be loaded separately.
I was wondering should I just load it for the entire app or only for vulnerable pages/actions.
I have an app with 6 frontend pages with a contact form and login page. Everything else is protected behind the auth component.