Django supports samesite on session cookies now, and it's on (set to lax) by default. Whether or not that completely covers your surface risk to CSRF attacks is a somewhat different question.
On Sun, Apr 19, 2020 at 3:12 PM guettli <guettli.goo...@thomas-guettler.de> wrote: > iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/ > ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/ > > Is a CSRF token still needed today? > > All my users use a modern browser. > > It would be very nice if I could get rid of the CSRF token. > > Is there a safe way to avoid CSRF tokens in my Django project? > > Regards, > Thomas > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Bv0ZYX_UaskL%2BGXjusNreEQp6mkwu71k_qZsz2NCQ1ur8LVDA%40mail.gmail.com.
