I have a fully working ajax post route. It output my data successfully, but also includes csrf which is Cross-Site Request Forgery.
Is there any chance that it will give me future troubles, or is the csrf there just if I want to compare it to a php token?
The route only exists when logged in, so it’s probably not dangerous:
if( site()->user() ) {
// My route
}
Being logged in is exactly the situation that can be abused by CSRF attacks. That’s why the Panel uses the CSRF token as a shared secret between the frontend and backend to validate that a request actually comes from the Panel and not an attacker.
So the token is a protection and won’t give future troubles. You can call panel()->csrfCheck() and Kirby will do all the checking work for you if you want.
I don’t understand why an attack could happend if the route is only active when a user is logged in.
However, I did get help from your post. I will not use panel()->csrfCheck() because I don’t have access to the panel object and I think it’s too much overhead to load it.
Instead I extracted this code from it:
echo s::get('csrf');
It matches the csrf in the ajax call. Great!
The attack would happen while the user is logged in. You can read more about CSRF at the OWASP wiki page.
So instead of echoing it, you should probably compare it and log out the user if it is invalid. 
The attack would happen while the user is logged in.
Now I understand it better.
So instead of echoing it, you should probably compare it and log out the user if it is invalid.
Yeah, I didn’t think I could just echo it and be fine with that. I compare it. 
Thanks! What would I do without you?