CSRF protection

[lpil]

We want to provide CSRF protection so the programmer does not have to worry about how to implement this security requirement.

Are CSRF tokens still required? Or are SameSite cookie (possibly combined with origin header checking?) enough? The support for SameSite seems good: https://caniuse.com/?search=SameSite

Perhaps CSRF tokens could be a third party library which can be used by teams that need to support older browsers.

[benbot]

Happened upon this issue and a relevant stack overflow link.

https://security.stackexchange.com/questions/121971/will-same-site-cookies-be-sufficient-protection-against-csrf-and-xss

Seems like CSRF protection is still a pretty important practice.

Hope it's helpful :)

[lpil]

Hello! Yes, the question was whether there's any reason to provide helpers for a token based approach rather. As far as I'm aware it's no longer required, but I could be mistaken.