Avoiding CSRF tokens

For a CSRF token to be effective, you need to be able to submit it outside of the cookie mechanism. You could make your page execute an AJAX POST to your site in order to retrieve the CSRF token.

e.g. https://www.example.com/GetCSRFToken

Response:

{ "token": "abcdefg" }

Then you will be able to submit this token with your form. As this is a separate request, the response will not be part of your cached page. The only drawback with this method is that JavaScript must be enabled for the token to be retrieved. It might be possible for you to handle this scenario though, and if a form is POSTed without the token due to JavaScript being disabled you could add a confirmation step before the actual item is added to the cart. The confirmation page would be set not to be cached so each user would always get the token for their session.

There is an alternative described at OWASP CSRF Prevention Cheat Sheet titled "Double Submit Cookies"

It submitting Session ID with the form, where javascript reads this cookie value and injects it as a hidden input element to the form. For this to work, your session cookies must not be marked as HTTPOnly, which is a bad practice. So you lose some session cookie security while trying to add some on CSRF.

As an improvement to this method, you can create another cookie with login that stores CSRF token value and use this cookie instead of the sessionid cookie. Now you can mark sessionid cookie as HTTPOnly. (Not marking csrf cookie as httponly is also a bad practice but not critical as before)

(I assume retrieving csrf token via AJAX calls on every page is not an option for performance reasons)

You can use cookies for the CSRF, the cookie is set on the form page and checked on the next one. It may require some tweaks but it will get around the caching.

Don't forget to configure Varnish to not drop that cookie.