Closed anotheredward closed 6 years ago
Code LGTM :shipit:
have not tested it out on my environment.
@ebuckley Can you think of any cases when we might want to provide a CSRF token on a response that is not html? I couldn't personally.
We're currently using the "set-cookie" strategy from this list: https://stackoverflow.com/questions/20504846/why-is-it-common-to-put-csrf-prevention-tokens-in-cookies
Previously every static file request, for example js,css,woff files would regenerate and update the CSRF token set in the cookie. This meant that if a user submitted a form before the page was finished loading, their CSRF token would be older than the one on the server and so the request would fail.