I wanted to use Cloudflare’s Cache Everything feature on our website, but I was unable to because of the CSRF protection that our e-commerce store implemented. Requests needed to reach the origin server so that a unique CSRF token could be generated for the user, which is then required for future POST requests.
I solved this problem by creating a Cloudflare Worker script that generates a CSRF token utilizing the encrypted token pattern. The script uses the __cfduid cookie as a nonce. This variable is generated by Cloudflare and is unique to each client. Using this script the origin server is able to verify that the cookie containing the CSRF token was generated by the Cloudflare Worker script. It does this by using the shared secret and the __cfduid nonce. Be sure to modify the “shared_secret” variable on line 26 to a custom value unique to your application.
An example PHP function used in conjunction with the Cloudflare Worker script in Magento 1.x to determine if a client’s CSRF token is valid.