Fragment caching & CSRF

Question

What is the prefered way to deal with cached forms and CSRF token? Here they propose a JS overwrite of input attribute, but I also want to cache the header.

Answer 1

Here is an article describing different methods: http://www.fastly.com/blog/Caching-the-Uncacheable-CSRF-security/.

A short summary:

1. Using ESI (Edge Side Includes): render a placeholder in Rails which you fill with the CSRF token later.
2. Including the CSRF token in a cookie and copy it into the form via javascript.
3. Fetch the token in a separate AJAX request and copy it into the form via javascript.

My take:

You need to set up special infrastructure for using ESI, so I do not like that solution. AJAX requests are slow and a lot of network overhead, so I do not like that solution as well... So I would go with the cookie solution or with the JS solution you already mentioned, since these are the simplest solutions.