[Feature Request] Add `--disable-csrf` flag to `server start-dev`

[lorensr]

Alternative to disabling it by default (#229)

[josh-berry]

Hi @lorensr, why would we want to disable it at all?

[lorensr]

@feedmeapples might have more details on this scenario:

since this is a dev server CSRF protection unnecessarily complicates hosting dev server, requiring setting up reverse proxy / HTTPS if hosted with non-localhost

There are folks who run server start-dev in a container during development, imagine it might be non-localhost sometimes. I imagine folks also run it on non-localhost for other purposes, like testing or hobby, as a simpler alternative to docker compose (eg here).

[benkevan]

Use it here and need to go back to docker compose when disabling of csrf is required. Watching this to monitor.

[josh-berry]

Disabling CSRF can create unintended and surprising security risks even in local contexts. For example: https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

If you plan to use the server in a non-local context, you should use the actual server, not the dev-server (and, yes, you should use CSRF there too). So, absent a really compelling reason I'm not aware of, we do not ever intend to do this. Closing.