We would like to enable the Cloudflare page rule cache everything for an e-commerce website. However because the CF strips the token from the cached page we are getting CSRF token mismatch for all requests.
How we should go about this? I read one article where it is suggested we use CF Edge Workers to dynamically insert a CSRF token when the user really needs it - subscribe, add to cart, checkout.
I too am interested on this... So far I've been implementing work-arounds using a WAF skip rule for the post routes on the forms that present the csrf issue, and a global rate-limiting to attempt to cover for the openness of this workaround... but I know this is really far from the ideal way to go about this. However, I haven't found a way to fix it any other way and still keep the cache on.
Please or to participate in this conversation.