Invalid CSRF (Cross Site Request Forgery) on embedded form

I have an Elixir application that uses Phoenix for the interface. This application has a contact form that needs to be embedded in other websites. Once the form is embedded via an iFrame in the other websites and then submitted, it returns an error:

invalid CSRF (Cross Site Request Forgery) token, please make sure that:
  * The session cookie is being sent and session is loaded
  * The request include a valid '_csrf_token' param or 'x-csrf-token' header

Because I can’t control the domains of the websites I can’t update the plug Plug.Session opts.

Am I correct in my understanding that CSRF is mostly to protect with authenticated sessions? Since this is a simple contact form that will be embedded can I remove the CSRF check for this POST route or is there a better way to handle this?

This can be done in your router, by moving protect_from_forgery plug to it’s own named pipeline. Then using it (or not!) when needed

See related docs for protect_from_forgery.

Thank you That’s the current workaround I have right now. I guess I’m curious if I am OK doing this from my application from a security standpoint? Will doing that put my application at risk?

I know this is an old question, but only the routes you exempt from :protect_from_forgery become less secure. In the example you gave, potentially an attacker could use this sort of attack to get visitors on another site to submit your form, but if it’s an unauthenticated route, I’m not sure there would be any point in doing that vs scripting a bunch of bogus submissions.