CSRF protection in Phoenix with Sec-Fetch-Site
Summary
The article advocates using Sec-Fetch-Site headers to enhance CSRF protection in Phoenix applications, reducing reliance on traditional CSRF tokens. It presents a practical Elixir Plug named CrossOriginProtection that gates non-safe requests based on Sec-Fetch-Site and Origin headers, with a bypass option for specific paths. It also provides unit tests, migration steps for replacing get_csrf_token usage, and WebSocket config changes to align with browser security headers.