[iancarroll]

It’s good to protect against DNS rebinding, and the host header or TLS will protect against this, but rebinding isn’t the main source of CSRF issues. You can still blindly perform CSRF attacks via XHR or <form>.

The disadvantage to Tailscale’s implicit authentication is that it can’t take advantage of modern features like SameSite cookies, which can be a strong defense against CSRF. You would need to implement CSRF tokens everywhere, or try to rely on Origin/Referer (which is sketchy).

[benmmurphy]

Blind CSRF should be protected at the application level by CSRF tokens. I don’t think I can come up with a situation where using tail scale auth + CSRF tokens puts you in a worse situation than just using CSRF tokens. Obviously, if you don’t use CSRF tokens you have a problem but you have a problem even if you don’t use this tailscale auth.