https://takao.blog/en/tags/csrf/Recent content in Csrf on Commentary of TakaoHugo -- gohugo.ioenCommentary of TakaoSat, 13 Jun 2026 23:11:50 +0900https://takao.blog/en/web/security-csrf-tokens-samesite-cookies/Mon, 25 Aug 2025 00:00:00 +0900https://takao.blog/en/web/security-csrf-tokens-samesite-cookies/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post Mitigating CSRF: SameSite Cookie Attributes and CSRF Tokens" /><h2 id="introduction">Introduction </h2><p>Cookies are a convenient mechanism for managing user authentication state. When a session ID is stored in a cookie, the browser automatically attaches it to outgoing HTTP requests targeting the domain.</p> <p>However, this automatic attachment feature is exploited by <strong>Cross-Site Request Forgery (CSRF)</strong> attacks.</p> <p>Although modern browsers default to safer cookie behaviors (such as applying <code>SameSite=Lax</code> automatically), developers must understand CSRF defense patterns to prevent serious authentication vulnerabilities. This article reviews SameSite cookie attributes and CSRF token verification patterns.</p>