Will need to make special considerations for http_requests.
If we REALLY wanted to go hardcore, we could also make it so the cookie is a different token from what is put on the forms. Both are stored with the user session. And both need to be validated accordingly and matched correctly server-side to pass. That way, if the token is stolen from one method, it still won't work. Maybe this could be a config option, and enabled only with the "high/extreme" security profiles by the Setup Wizard.
This might not work for AJAX requests because they need a way to get a CSRF token. They do this through a secondary AJAX request getting a token, but this method will prevent being able to set an HttpOnly CSRF cookie for additional validation.
If we REALLY wanted to go hardcore, we could also make it so the cookie is a different token from what is put on the forms. Both are stored with the user session. And both need to be validated accordingly and matched correctly server-side to pass. That way, if the token is stolen from one method, it still won't work. Maybe this could be a config option, and enabled only with the "high/extreme" security profiles by the Setup Wizard.
Closing.