Django supports samesite on session cookies now, and it's on (set to lax) by default. Whether or not that completely covers your surface risk to CSRF attacks is a somewhat different question.
On Sun, Apr 19, 2020 at 3:12 PM guettli <[email protected]> wrote: > iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/ > ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/ > > Is a CSRF token still needed today? > > All my users use a modern browser. > > It would be very nice if I could get rid of the CSRF token. > > Is there a safe way to avoid CSRF tokens in my Django project? > > Regards, > Thomas > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Bv0ZYX_UaskL%2BGXjusNreEQp6mkwu71k_qZsz2NCQ1ur8LVDA%40mail.gmail.com.
