This project is not maintained anymore. You can still view and search the archives.

Cross-Site Request Forgery is dead!

Hi, I’m Anselm Hannemann, a freelance Frontend Developer and Engineering Manager. You can hire me. I wrote WDRL for 10 years and have a a Market Garden as a side-business.

This link appeared in WDRL 171 on 24.02.2017.

Cross-Site Request Forgery is dead!

Mitigating Cross-Site Request Forgery attacks has never been easy. Luckily, it seems that we now got a proper solution for it: Same-Site Cookies. The only thing you need to do to make it work is adding SameSite to your existing Set-Cookie header. Of course, you should know how same-site cookies differ from “normal” cookies, but for most sites this should be easy to implement.