Let’s suppose my site is completely in LiveView, even the login form is a live form. I have no regular route, GET or POST or anything else. So I have no need for any cookie. Is the CSRF protection still important to me? What kind of attack vectors are now possible if I remove the CSRF token in liveView?
It seems that CSRF token is required when issuing the websocket request.
It can be disabled. I already did, however I want to know what kind of security implication is there.
If you disable the csrf protection, then the live session is also disabled, which is what could be harmful in this scenario. So the answer is no, it is fine to disable it, but you won’t have access to the cookie session.