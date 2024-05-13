I have a custom LAMP site where there are some landing pages with a form that submits to the application to show some results as a preview sample content which one can subscribe to a paid plan.

The landing pages were created beautifully by a designer and I had to stitch the pages to integrate with the application.

But I was wondering if I could have the landing pages on a separate sub/domain which would POST to my application since there’s no user login for the previews. This way the designer can handle the landing pages on a subdomain which he would have exclusive access to and I would focus on the application itself.

But I implemented token in vanilla PHP for CSRF. This won’t work when the designer is having his pure HTML+CSS pages on the separate subdomain.

So how do I mitigate attacks if I can’t implement CSRF ? I can’t depend solely on http referer.

Main goal is to have the landing pages on React on Vercel etc to get a good pagespeed score. And have the HTML designers not depend on the application devs to update landing pages.