LiveView CSRF Security

Because LiveView doesn’t do a standard POST, I’m trying to figure out how it manages CSRF security. Is some sort of check done any time a form’s “submit” button is pressed? Or maybe all attempts to write data in LiveView go through a check.

I’m trying to understand the security implications of saving form data on events such as click, keypress, etc. In other words, am I still safe if form data is saved outside of a typical button with type “submit”.

Thanks in advance for any guidance!

LV by default includes a signed CSRF token when connecting to the socket which is how each browser instance is being authorized/identified.

Should not be able to connect from a site that was not served via your backend, which protects against those types of attacks.

LiveView is stateful remember, so each request does not need to validate a CSRF/auth token, only the initial socket initialization requires those checks


Thanks, makes sense!