Hacker's Docs
  • Main
  • Web Security
    • Security Headers
      • Content Security Policy
      • Same Origin Policy
    • Web Vulnerabilities
      • Cross Site Scripting
        • Stored XSS
      • Cross Site Request Forgery
        • CSRF Best Practices
        • CSRF Example Usages
      • Server Side Request Forgery
      • SQL Injection
  • Secure Coding Practices
    • Learning Resources
  • Cheatsheets
    • Security Tools
      • Nmap
      • Tcpdump
    • Cloud Tools
      • Argo
      • Docker
      • Kubernetes
    • Coding
      • Bash
      • Go
      • Python
      • C++
  • AI Security
    • Learning Resources
  • Coding Practices
    • Leetcode
    • API
    • Log Parsing
  • Penetration Testing
Powered by GitBook
On this page

Was this helpful?

  1. Web Security
  2. Web Vulnerabilities
  3. Cross Site Request Forgery

CSRF Best Practices

  • Strict:

    • Use SameSite=Strict for cookies containing sensitive information or those used in critical operations (e.g., authentication cookies).

    • Example:

      httpCopy codeSet-Cookie: authToken=xyz789; Secure; HttpOnly; SameSite=Strict

  • Lax:

    • Use SameSite=Lax for cookies that should generally be sent in same-site contexts but still allow some cross-site requests (e.g., navigations from external links).

    • Example:

      httpCopy codeSet-Cookie: trackingId=def456; Secure; HttpOnly; SameSite=Lax

  • None:

    • Use SameSite=None only when cross-site requests are necessary and ensure the Secure attribute is present to enforce HTTPS.

    • Example:

      httpCopy codeSet-Cookie: thirdParty=ghi123; Secure; HttpOnly; SameSite=None
PreviousCross Site Request ForgeryNextCSRF Example Usages

Last updated 9 months ago

Was this helpful?