# CSRF Defense Patterns One-sentence definition: Prevent cross-site request forgery on state-changing endpoints. ## Key Facts - Synchronizer tokens (per-session/per-request) validated server-side. - SameSite cookies (Lax/Strict) reduce ambient cookie sending. - Double-submit tokens for stateless forms; check origin/referer where viable. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Recognize token + SameSite as primary control. **Mnemonic:** “**Token it**, **SameSite** it.” ## Mini Scenario Q: POST endpoint lacks token—risk? A: CSRF; add token validation and SameSite cookies. ## Revision Checklist - Two defenses. - When to check Origin. - Stateless token pattern. ## Related [[Web Session Management (Cookies Tokens Timeouts)]] · [[Web XSS Defenses and Content Security Policy (CSP)]] · [[Secure HTTP Headers (HSTS Frame Ancestors CORS)]] · [[API Security Fundamentals (REST GraphQL gRPC)]] · [[Domain 8 - Index]]