# CSRF Example Usages #### Good Example Using the `SameSite` attribute correctly to enhance security by restricting the cookie to same-site requests: ```http httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict ``` **Explanation:** * **`sessionId=abc123`**: The cookie name and value. * **`Secure`**: Ensures the cookie is only sent over HTTPS. * **`HttpOnly`**: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks. * **`SameSite=Strict`**: The cookie will only be sent for requests originating from the same site, providing strong protection against CSRF attacks. #### Bad Example Misusing the `SameSite` attribute or omitting it entirely, potentially leading to security vulnerabilities: ```http httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly ``` **Explanation:** * **`sessionId=abc123`**: The cookie name and value. * **`Secure`**: Ensures the cookie is only sent over HTTPS. * **`HttpOnly`**: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks. * **Missing `SameSite` attribute**: Without the `SameSite` attribute, the cookie is sent with both same-site and cross-site requests by default, which could expose the application to CSRF attacks. #### Another Bad Example Using an inappropriate value for the `SameSite` attribute: ```http httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=None ``` **Explanation:** * **`sessionId=abc123`**: The cookie name and value. * **`Secure`**: Ensures the cookie is only sent over HTTPS. * **`HttpOnly`**: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks. * **`SameSite=None`**: While this allows the cookie to be sent with cross-site requests, it can only be secure if combined with `Secure`. If `Secure` is not present, it leaves the application vulnerable to CSRF attacks. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.hackerspot.net/web-security/web-vulnerabilities/cross-site-request-forgery/csrf-example-usages.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.