Duplicate Add an option to disable CSRF checks for modern browsers


Well-known member
XenForo uses a double submit cookie approach to prevent CSRF attacks which does work quite well (except for cases where it breaks).

As CSRF tokens are included in the HTML this does complicate things in some cases, for example when caching HTML for guests.

It would be nice if the requirement for those tokens could optionally be disabled for modern browsers supporting Sec-Fetch-Site:

This would allow to cache HTML on edge nodes more easily (without having to run code on edge nodes to update token or to rely on the client to fetch fresh tokens by passing through refresh token requests directly to the origin)
Upvote 3
This suggestion has been closed. Votes are no longer accepted.
Top Bottom