diff --git a/composer.json b/composer.json
index 4f2469b..50b129f 100644
--- a/composer.json
+++ b/composer.json
@@ -40,6 +40,7 @@
         "symfony/property-info": "^7.2",
         "symfony/runtime": "^7.2",
         "symfony/security-bundle": "^7.2",
+        "symfony/security-csrf": "^7.2",
         "symfony/serializer": "^7.2",
         "symfony/stimulus-bundle": "^2.21",
         "symfony/string": "^7.2",
diff --git a/composer.lock b/composer.lock
index 68cc9c3..e8c02f1 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "67e324518270930150d990299cd0b613",
+    "content-hash": "31c3ee9a06365c5a9df6f2ed45712eb3",
     "packages": [
         {
             "name": "apereo/phpcas",
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 877eb25..975ff2f 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -1,10 +1,14 @@
 # see https://symfony.com/doc/current/reference/configuration/framework.html
 framework:
     secret: '%env(APP_SECRET)%'
-    #csrf_protection: true
+    csrf_protection: true
 
     # Note that the session will be started ONLY if you read or write from it.
-    session: true
+    session:
+        enabled: true
+        handler_id: null
+        cookie_secure: auto
+
 
     #esi: true
     #fragments: true
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index b445fef..c23148d 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -23,6 +23,8 @@ security:
         login_path: app_login
         check_path: app_login
         enable_csrf: true
+        csrf_token_id: authenticate
+        csrf_parameter: _csrf_token
         default_target_path: /
       logout:
         path: app_logout
diff --git a/src/Controller/UserController.php b/src/Controller/UserController.php
index e095480..6ae6501 100644
--- a/src/Controller/UserController.php
+++ b/src/Controller/UserController.php
@@ -2,18 +2,17 @@
 
 namespace App\Controller;
 
-use App\Entity\Project;
 use App\Entity\User;
 use App\Form\UserType;
 use App\Repository\UserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Ramsey\Uuid\Uuid;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
-use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 
 class UserController extends AbstractController
 {
@@ -127,8 +126,11 @@ class UserController extends AbstractController
     }
 
     #[Route('/user', name: 'app_user_profil')]
-    public function profil(Request $request, UserPasswordHasherInterface $passwordHasher, EntityManagerInterface $em): Response
+    public function profil(CsrfTokenManagerInterface $csrfTokenManager, Request $request, UserPasswordHasherInterface $passwordHasher, EntityManagerInterface $em): Response
     {
+        $token = $csrfTokenManager->getToken('user')->getValue();
+        dump($token);
+
         $user = $em->getRepository(User::class)->find($this->getUser());
         if (!$user) {
             return $this->redirectToRoute('app_home');
@@ -162,30 +164,4 @@ class UserController extends AbstractController
             'form' => $form,
         ]);
     }
-
-    #[Route('/user/selectproject', name: 'app_user_selectproject')]
-    public function selectproject(Request $request, EntityManagerInterface $em): JsonResponse
-    {
-        $id = $request->get('id');
-
-        $project = $em->getRepository(Project::class)->find($id);
-        if (!$project) {
-            return new JsonResponse(['status' => 'KO', 'message' => 'ID non fourni'], Response::HTTP_NOT_FOUND);
-        }
-
-        $user = $this->getUser();
-        if (!$user instanceof User) {
-            throw new \LogicException('L\'utilisateur actuel n\'est pas une instance de App\Entity\User.');
-        }
-
-        $projects = $user->getProjects();
-        if (!$projects->contains($project)) {
-            return new JsonResponse(['status' => 'KO', 'message' => 'Projet non autorisée'], Response::HTTP_FORBIDDEN);
-        }
-
-        $user->setProject($project);
-        $em->flush();
-
-        return new JsonResponse(['status' => 'OK', 'message' => 'Projet selectionnée'], Response::HTTP_OK);
-    }
 }
diff --git a/src/Form/GroupType.php b/src/Form/GroupType.php
index 0ee535c..b8e7518 100644
--- a/src/Form/GroupType.php
+++ b/src/Form/GroupType.php
@@ -61,6 +61,9 @@ class GroupType extends AbstractType
     {
         $resolver->setDefaults([
             'data_class' => Group::class,
+            'csrf_protection' => true,
+            'csrf_field_name' => '_token',
+            'csrf_token_id' => static::class,
             'mode' => 'submit',
         ]);
     }
diff --git a/src/Form/OptionType.php b/src/Form/OptionType.php
index b8c0612..502601e 100644
--- a/src/Form/OptionType.php
+++ b/src/Form/OptionType.php
@@ -39,6 +39,9 @@ class OptionType extends AbstractType
     {
         $resolver->setDefaults([
             'data_class' => ProjectOption::class,
+            'csrf_protection' => true,
+            'csrf_field_name' => '_token',
+            'csrf_token_id' => static::class,
             'mode' => 'submit',
         ]);
     }
diff --git a/src/Form/ProjectType.php b/src/Form/ProjectType.php
index ec7097f..95cb679 100644
--- a/src/Form/ProjectType.php
+++ b/src/Form/ProjectType.php
@@ -71,6 +71,9 @@ class ProjectType extends AbstractType
     {
         $resolver->setDefaults([
             'data_class' => Project::class,
+            'csrf_protection' => true,
+            'csrf_field_name' => '_token',
+            'csrf_token_id' => static::class,
             'mode' => 'submit',
         ]);
     }
diff --git a/src/Form/ProjectVotedType.php b/src/Form/ProjectVotedType.php
index a0c1f5f..12d4ab8 100644
--- a/src/Form/ProjectVotedType.php
+++ b/src/Form/ProjectVotedType.php
@@ -54,6 +54,9 @@ class ProjectVotedType extends AbstractType
     {
         $resolver->setDefaults([
             'data_class' => Project::class,
+            'csrf_protection' => true,
+            'csrf_field_name' => '_token',
+            'csrf_token_id' => static::class,
             'mode' => 'submit',
         ]);
     }
diff --git a/src/Form/UserType.php b/src/Form/UserType.php
index feaa4ed..8d1a4ea 100644
--- a/src/Form/UserType.php
+++ b/src/Form/UserType.php
@@ -81,6 +81,9 @@ class UserType extends AbstractType
     {
         $resolver->setDefaults([
             'data_class' => User::class,
+            'csrf_protection' => true,
+            'csrf_field_name' => '_token',
+            'csrf_token_id' => static::class,
             'mode' => 'submit',
             'modeAuth' => 'SQL',
         ]);
diff --git a/templates/user/edit.html.twig b/templates/user/edit.html.twig
index 7bfbac1..3a868a2 100644
--- a/templates/user/edit.html.twig
+++ b/templates/user/edit.html.twig
@@ -7,6 +7,7 @@
     
 
     {{ form_start(form) }}
+       
         {{ form_widget(form.submit) }}
         <a href="{{ path(routecancel) }}" class="btn btn-secondary ms-1">Annuler</a>
         {%if mode=="update" %}<a href="{{ path(routedelete,{id:form.vars.value.id}) }}" class="btn btn-danger float-end" onclick="return confirm('Confirmez-vous la suppression de cet enregistrement ?')">Supprimer</a>{%endif%}