LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What are the three main CSRF protection mechanisms?

CSRF tokens (a secret the attacker can't read), the SameSite cookie attribute (browser won't send the cookie cross-site), and double-submit cookies (token in both cookie and request, must match).

1. CSRF Token (Synchronizer Token Pattern):

  • Server generates random token, stores in session
  • Token sent in HTTP response body or header
  • Client must include token with each modifying request
  • Server verifies token matches session

2. SameSite Cookie Attribute:

  • Set on session cookie: SameSite=Strict or SameSite=Lax
  • Browser won't send cookie with cross-site requests
  • Strict: Never sent cross-site
  • Lax: Sent only with top-level navigations

3. Double Submit Cookie:

  • Set CSRF token as cookie AND require it as request parameter
  • Attacker can trigger requests but can't read cookies to copy the value
  • Server verifies both values match

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jun 20, 2026