diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
index 557dc39414..fe3c3501d5 100644
--- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
+++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -94,7 +94,7 @@ class Configuration implements ConfigurationInterface
                     ->canBeEnabled()
                 ->end()
                 ->arrayNode('csrf_protection')
-                    ->canBeEnabled()
+                    ->canBeDisabled()
                     ->children()
                         ->scalarNode('field_name')->defaultValue('_token')->end()
                     ->end()
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
index 305f4e2dee..3c6c0ea475 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
@@ -94,7 +94,7 @@ class ConfigurationTest extends \PHPUnit_Framework_TestCase
             'default_locale'      => 'en',
             'form'                => array('enabled' => false),
             'csrf_protection'     => array(
-                'enabled'    => false,
+                'enabled'    => true,
                 'field_name' => '_token',
             ),
             'esi'                 => array('enabled' => false),
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/csrf.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/csrf.yml
new file mode 100644
index 0000000000..ce5fc591ed
--- /dev/null
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/csrf.yml
@@ -0,0 +1,6 @@
+framework:
+    secret: s3cr3t
+    form: ~
+    session: ~
+    # CSRF should be enabled by default
+    # csrf_protection: ~
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/YamlFrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/YamlFrameworkExtensionTest.php
index 43070c00c9..b8dcefc558 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/YamlFrameworkExtensionTest.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/YamlFrameworkExtensionTest.php
@@ -22,4 +22,11 @@ class YamlFrameworkExtensionTest extends FrameworkExtensionTest
         $loader = new YamlFileLoader($container, new FileLocator(__DIR__.'/Fixtures/yml'));
         $loader->load($file.'.yml');
     }
+
+    public function testCsrfProtectionShouldBeEnabledByDefault()
+    {
+        $container = $this->createContainerFromFile('csrf');
+
+        $this->assertTrue($container->getParameter('form.type_extension.csrf.enabled'));
+    }
 }