Deprecate the storefront CSRF implementation

::: info This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here :::

Context

With browsers evolving and dropping support for older browser in 6.5 we have wide support for SameSite cookies.
The current CSRF implementation adds a lot of complexity to all forms and ajax calls in the Storefront.
The CSRF protection does not add a great improvement in security due to the SameSite strategy.

Decision

We remove the CSRF protection in favor of SameSite cookies which are used and prevent CSRF attacks already.

Consequences

All CSRF implementations in the Storefront will be removed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2022-11-16-deprecate-csrf.md

2022-11-16-deprecate-csrf.md

Deprecate the storefront CSRF implementation

Context

Decision

Consequences

Files

2022-11-16-deprecate-csrf.md

Latest commit

History

2022-11-16-deprecate-csrf.md

File metadata and controls

Deprecate the storefront CSRF implementation

Context

Decision

Consequences