Quiz Entry - updated: 2026.06.20
What are the three main CSRF protection mechanisms?
CSRF tokens (a secret the attacker can't read), the SameSite cookie attribute (browser won't send the cookie cross-site), and double-submit cookies (token in both cookie and request, must match).
1. CSRF Token (Synchronizer Token Pattern):
- Server generates random token, stores in session
- Token sent in HTTP response body or header
- Client must include token with each modifying request
- Server verifies token matches session
2. SameSite Cookie Attribute:
- Set on session cookie:
SameSite=StrictorSameSite=Lax - Browser won't send cookie with cross-site requests
Strict: Never sent cross-siteLax: Sent only with top-level navigations
3. Double Submit Cookie:
- Set CSRF token as cookie AND require it as request parameter
- Attacker can trigger requests but can't read cookies to copy the value
- Server verifies both values match