CSRF Protection Techniques

The cluster focuses on discussions about Cross-Site Request Forgery (CSRF) attacks, including the use of CSRF tokens, SameSite cookies, and comparisons to CORS and other mitigations.

➡️ Stable 1.5x Security

1,862

Comments

Years Active

Top Authors

#1053

Topic ID

Activity Over Time

2007

2008

2009

2010

2011

146

2012

188

2013

193

2014

119

2015

2016

113

2017

125

2018

2019

116

2020

110

2021

101

2022

2023

2024

2025

201

2026

Top Contributors

tptacek (59) homakov (38) simonw (22) nbpoole (18) nchmy (16)

Keywords

US HttpOnly mywebsite.com JS PUT MITM mozilla.org BREACH GET pdf.pdf csrf cookies tokens cors cookie token lax protection cross strict

Sample Comments

emodendroket • Nov 1, 2020 • View on HN

That's just standard CSRF stuff isn't it

rshetty10 • May 28, 2016 • View on HN

Will this means we no longer need the CSRF token technique to protect against cross site requests ?

dzonga • Oct 14, 2021 • View on HN

you can use same-site cookie attribute to prevent csrf attacks these days.

X-Istence • Jun 14, 2017 • View on HN

CSRF doesn't save you here... I can send up a CSRF token using curl just as easily...

ptman • Feb 26, 2020 • View on HN

you might not need more advanced csrf protection than a cookie samesite policy.

Seb-C • Nov 9, 2020 • View on HN

If you don't even have a CSRF you actually probably have an issue that you are not aware of.

weird-eye-issue • Aug 21, 2021 • View on HN

What you are describing isn't even CSRF

aphyr • Aug 23, 2012 • View on HN

CSRF won't protect against traffic sniffing; only third parties constructing URLs.

Andrex • Oct 23, 2019 • View on HN

It kills Cross-Site Request Forgery (CSRF): https://news.ycombinator.com/item?id=19854328

hmry • Oct 15, 2025 • View on HN

CSRF is about preventing other websites from making requests to your page using the credentials (including cookies) stored in the browser. Cookies can't prevent CSRF, in fact they are the problem to be solved.