[FastAPI] Consider / Implement CSRF Correctly

In our PHP codebase, there are various forms which employ a token input; a token input that is then checked to match the submitter's AURSID. In essence, it is a CSRF implementation that does not cohere with CSRF at all, other than passing a token and checking the token is correct. In fact, I'd say exposing AURSID in the DOM promotes insecurity.

So, I'm opening this issue to start discussion on this topic.

I'd like to ask where folks would consider CSRF is needed to promote security, and why that is the case.

Edited Jun 19, 2021 by Kevin Morris

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

[FastAPI] Consider / Implement CSRF Correctly