I've implemented a simple Django app deployed on Heroku to test out integration with VGS but it throws an error relating to CSRF verification failing. How do you recommend sites using VGS prevent CSRF attacks without using a cookie

Make sure that you are using the same domain for all requests.

For example: 

• serve your content from www.example.com (replace with your domain name here); and
• run the proxy on vault.example.com which then has an upstream of api-internal.example.com

this way you can set the cookie domain value to example.com and the browser will send it to the proxy and the website that serves the unprotected content without having to disable cookies or CSRF. Another option may be using CSRF protection mechanism that doesn't require cookies (i.e. via sessions).