I use Origin header alone in production. Besides what you mentioned, there is at least one more problem with CSRF tokens nowadays because:
- I store all session data server-side and only set a random key as the session cookie. (pretty common practice)
- I have forms in public accessible pages (pretty common practice)
- Bots are pounding those pages non-stop ((what can I say?)
By not generating and storing CSRF tokens, I avoided thrashing my session storage.






















