I have just discovered that the CSRF component is now separate from the security one and needs to be loaded separately.
I was wondering should I just load it for the entire app or only for vulnerable pages/actions.
I have an app with 6 frontend pages with a contact form and login page. Everything else is protected behind the auth component.
The purpose of components is to share functions between multiple controllers. The CSFR page also has a tidbit about how to disable CSFR for a certain action (though frowns upon it) in the beforeFilter function. This all leads me to saying that you should enable it in your AppController with your other components like the Auth component and others.
Disabling CSFR for an Action