Deprecate the storefront CSRF implementation
This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here
- With browsers evolving and dropping support for older browser in 6.5 we have wide support for SameSite cookies.
- The current CSRF implementation adds a lot of complexity to all forms and ajax calls in the Storefront.
- The CSRF protection does not add a great improvement in security due to the SameSite strategy.
- We remove the CSRF protection in favor of SameSite cookies which are used and prevent CSRF attacks already.
- All CSRF implementations in the Storefront will be removed.