Consider a site enforcing the Origin header is present and set to the expected origin. An older browser or one with an extension removing the header will be rejected. SameSite=Strict cookies are used for defense in depth.
Is it sensible for this site to stop using CSRF tokens?
Conversation
Replying to
You could make the argument that CSRF tokens are defense in depth, but I don't see what it adds. It was always an ugly hack and getting rid of it would be nice.
Can also enforce Sec-Fetch-Site being same-origin when present as a redundant check but it's not portable like Origin.
2
3
CSRF tokens in the HTML are particularly horrible because they prevent caching and the user can accidentally leak them via the page source.
Prior to Origin/Sec-Fetch-Site, there weren't really cleaner ways of preventing CSRF for non-authenticated APIs like a sign in form though.
1
2
Replying to
Without a CSRF token I recommend validating the content-type (not a real security mechanism but still a good idea) origin, referer and any custom request header or double summit cookie while setting the SameSite=Strict flag on a cookie required to make the request