Proposal to migrate to tokenless/header only CSRF in Plug/Phoenix

I use Origin header alone in production. Besides what you mentioned, there is at least one more problem with CSRF tokens nowadays because:

  • I store all session data server-side and only set a random key as the session cookie. (pretty common practice)
  • I have forms in public accessible pages (pretty common practice)
  • Bots are pounding those pages non-stop ((what can I say?)

By not generating and storing CSRF tokens, I avoided thrashing my session storage.

1 Like