Is CSRF mitigation necessary when using plug sessions/cookies for auth with Absinthe?

I was wondering if you decide to use sessions (typically using cookies) to store the auth token using Absinthe.Plug :before_send option like in the example here: if you open yourself up to CSRF attacks on subsequent query/mutation POST requests?

It’s simple enough to store a CSRF token in the page and submit it as a x-csrf-token header in the query/mutation for validation but not sure if it’s necessary to worry about it. Also not sure exactly how to deal with CSRF token staleness/refresh/reuse issues if needed in multiple queries/mutations on the same page. I could add a request for a new fresh token after every post as part of my GraphQL query but it’s a bit tedious and maybe there’s another better way?


CSRF protection is recommended for all web requests types. It does not matter that the payload is a GraphQL message. By default tokens can be re-used. A typical SPA would use the token received in its initial page load for all requests until that page is refreshed again.


Sounds good, thanks! I was thinking that was the case. Good to hear the tokens can be re-used I was thinking they were one-time use requiring constant refreshing which would add unwanted complexity… didn’t want to have to request new CSRF tokens with each mutation.