I've recently been working with other new frameworks, particularly Remix. Coming from Django, which has had excellent CSRF for many years, one of my first questions was how to handle CSRF protection. And the response I got lead me to the "Lax" SameSite cookie parameter, and that I really wouldn't need more than that for the session cookie.
It appears that Django has defaulted the session cookie to `Lax` since the SESSION_COOKIE_SAMESITE parameter was added in Django 2.1. All current browsers seem to have supported it since 2019. Is it time for us to remove the CSRF Middleware from the default settings template file? -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/f5c90c5e-a7b1-49f2-84da-0cce32f6f67dn%40googlegroups.com.