On the website, customers automatically receive a subdomain when registering.
I read up on CSRF and CSRF in subdomains can apparently be solved using CSRF_COOKIE_DOMAIN.
Nevertheless, the following lines in the official Django documentation give me a headache:
Subdomains within a site will be able to set cookies on the client for the whole domain. By setting the cookie and using a corresponding token, subdomains will be able to circumvent the CSRF protection. The only way to avoid this is to ensure that subdomains are controlled by trusted users (or, are at least unable to set cookies). Note that even without CSRF, there are other vulnerabilities, such as session fixation, that make giving subdomains to untrusted parties a bad idea, and these vulnerabilities cannot easily be fixed with current browsers.
Source: Cross Site Request Forgery protection | Django documentation | Django
How can I increase protection in subdomains?