On the website, customers automatically receive a subdomain when registering.
I read up on CSRF and CSRF in subdomains can apparently be solved using CSRF_COOKIE_DOMAIN.
Nevertheless, the following lines in the official Django documentation give me a headache:
Limitations
Subdomains within a site will be able to set cookies on the client for the whole domain. By setting the cookie and using a corresponding token, subdomains will be able to circumvent the CSRF protection. The only way to avoid this is to ensure that subdomains are controlled by trusted users (or, are at least unable to set cookies). Note that even without CSRF, there are other vulnerabilities, such as session fixation, that make giving subdomains to untrusted parties a bad idea, and these vulnerabilities cannot easily be fixed with current browsers.
It as much depends upon how much control you have over that subdomain as anything else.
If all traffic to/from that domain is going through your Django stack, and no one else has the ability to handle requests for that subdomain, you could probably greatly improve the situation by adding some middleware to filter the cookies being sent/received.
(That’s in part what’s implied by “(or, are at least unable to set cookies)”.)
See this thread about signing the CSRF cookie to increase protection in subdomains: Signing the CSRF cookie
You can override Django’s CSRF middleware, specifically the methods _get_secret and _set_csrf_cookie to perform otherwise the same logic but instead use request.get_signed_cookie and response.set_signed_cookie respectively.
If you override Django’s CSRF middleware to add this additional protection, then you likely will have to override Django’s LoginView (if you are using it) since the built-in LoginView uses Django’s built-in csrf middleware on this line @method_decorator(csrf_protect)