Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

hello,
I have kratos setup and runs well for some weeks until I got csrf mismatch error lately. I did review page <https://www.ory.sh/kratos/docs/next/debug/csrf/> and found this content:

```We do not recommend running them on separate subdomains, e.g. <https://kratos.my-website/> and <https://secureapp.my-website/>.```
Why do you have that recommendation? just currently I set it up like that way. In case I continue with that way, is there any advice for me to get rid of csrf issue?

Thanks so much.

The recommendation is a bit outdated. You need to make sure to set the cookie domain correctly. Would you be up to fix the documentation here so it becomes clearer? :slightly_smiling_face:

Ok <@U010F2N7G2X>, but let I check and resolve our csrf issue first. I'll contact you again if I can reproduce issue