XenForo uses a double submit cookie approach to prevent CSRF attacks which does work quite well (except for cases where it breaks).
As CSRF tokens are included in the HTML this does complicate things in some cases, for example when caching HTML for guests.
It would be nice if the requirement for those tokens could optionally be disabled for modern browsers supporting
web.dev
This would allow to cache HTML on edge nodes more easily (without having to run code on edge nodes to update token or to rely on the client to fetch fresh tokens by passing through refresh token requests directly to the origin)
As CSRF tokens are included in the HTML this does complicate things in some cases, for example when caching HTML for guests.
It would be nice if the requirement for those tokens could optionally be disabled for modern browsers supporting
Sec-Fetch-Site:Protect your resources from web attacks with Fetch Metadata | Articles | web.dev
Fetch Metadata is a new web platform feature designed to allow servers to protect themselves from cross-origin attacks.
web.dev
This would allow to cache HTML on edge nodes more easily (without having to run code on edge nodes to update token or to rely on the client to fetch fresh tokens by passing through refresh token requests directly to the origin)
Upvote
3
