I have an Elixir application that uses Phoenix for the interface. This application has a contact form that needs to be embedded in other websites. Once the form is embedded via an iFrame in the other websites and then submitted, it returns an error:
invalid CSRF (Cross Site Request Forgery) token, please make sure that:
* The session cookie is being sent and session is loaded
* The request include a valid '_csrf_token' param or 'x-csrf-token' header
Because I can’t control the domains of the websites I can’t update the plug Plug.Session
opts.
Am I correct in my understanding that CSRF is mostly to protect with authenticated sessions? Since this is a simple contact form that will be embedded can I remove the CSRF check for this POST route or is there a better way to handle this?