Hi @konrad.sopala,
It would still be useful to have enhanced guidance from Auth0 on when CSRF is necessary or recommended.
This is related to my other topic, which describes the problems we’ve had with the state parameter; one solution to that problem is not to apply CSRF protection. In trying to understand the consequences there would be for that decision, Auth0’s CSRF page was not very useful, so in any case in my opinion that page could do with a refresh to apply it to login scenarios specifically.
Are you able to provide any additional guidance on CSRF protection for login scenarios?
Many thanks,
Martin Pain