Category Archives: CSRF


In this section, we’ll explain the differences between XSS and CSRF, and discuss whether CSRF tokens can help to prevent XSS attacks. What is the difference between XSS and CSRF? Cross-site scripting (or XSS) allows an attacker to execute arbitrary JavaScript within the browser of a victim user. Cross-site request forgery (or CSRF) allows an attacker to induce a…

Read More

CSRF tokens

In this section, we’ll explain what CSRF tokens are, how they protect against CSRF attacks, and how CSRF tokens should be generated and validated. What are CSRF tokens? A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is…

Read More

Defending against CSRF with SameSite cookies

Some websites defend against CSRF attacks using SameSite cookies. The SameSite the attribute can be used to control whether and how cookies are submitted in cross-site requests. By setting the attribute on session cookies, an application can prevent the default browser behavior of automatically adding cookies to requests regardless of where they originate. The SameSite the attribute is added to the Set-Cookie response…

Read More