Is CSRF needed on a page that does not have authentication
I'm making a configuration page for an embedded Linux device. When the user presses a button, the device starts a WiFi access point. The user connects to the AP and visits the web page. This page is not protected by a password. Anyone who can connect to the AP can visit the page and make any changes. Is CSRF needed here? Can CSRF protection even be added?
Yes, you do.
The problem with CSRF is that it essentially allows an attacker to send requests to a site he can't directly access. That means, an attacker could create a page, which causes the victim to send an unwanted POST request to the configuration page, essentially changing the configuration. The fact that you don't require authentication is irrelevant.
Example scenario: your laptop is both connected to the internet (say via wired network) and to the device's wifi. In your browser you have two tabs open: the device's admin page, and
mechsawesomeblog.nettab can send POSTs to your device and change its config.
How to protect against CSRF attacks?
The simplest way is the "Double Submit Cookie Pattern". Essentially, when the user requests the page, you create a nonce (a value which needs to be random and hard to guess), which you send both as a cookie and in a hidden field in the form.
When the client loads the page and submits a legitimate configuration change, the nonce is returned both as cookie and in the hidden field. Since both values are identical, the request is seen as legitimate. If the values mismatch or are not legitimate, the request is ignored.
How does this protect against CSRF attacks?
An attacker can only cause the user to submit POST requests from the browser of the victim. This means that if the victim has never visited the configuration page, there is no cookie to be sent, and as such, the request will always fail.
If the victim has a CSRF cookie, the body of the POST request needs to contain the same value as is stored in the cookie. However, the attacker does not know the correct value, and attempting to brute-force it should be infeasible.
How exploitable is this?
In all honesty, I would rate it as unlikely, but possible. First of all, given that it's an IoT device, it will likely be reachable via IP address. And while the number of plausible addresses is not as big, it still makes the attack more difficult.
Secondly, the severity of the attack depends on the configuration. Adding new users able to connect via SSH will be more critical, whereas changing the color of an LED will be less critical.
Use the Double Submit Cookie Pattern and you will be fine.