Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › CROSS-SITE REQUEST FORGERY (CSRF) is best mitiga…
CROSS-SITE REQUEST FORGERY (CSRF) is best mitigated by
Adisabling JavaScript
Banti-CSRF tokens with SameSite cookies
Cblocking all POST requests
Dusing HTTPS only
Answer & Solution
Correct answer: B. anti-CSRF tokens with SameSite cookies
1. CSRF: attacker tricks an authenticated user's browser into submitting a state-changing request (e.g. transfer money) without the user's intent.
2. MITIGATIONS (used together for defense in depth):
• ANTI-CSRF TOKENS: each form embeds a per-session unguessable token; the server validates it on submit. Attackers on another domain cannot read it.
• SAMESITE COOKIES: setting cookies to SameSite=Lax or SameSite=Strict prevents cookies from being sent on cross-origin requests.
• Origin/Referer header checks for state-changing requests.
3. HTTPS (D) protects in-transit secrecy but doesn't prevent CSRF.
4. Modern browsers default cookies to SameSite=Lax — but explicit token-based defense is still recommended.
_Source: OWASP CSRF Prevention Cheat Sheet + Top 10 2021 cross-references._
Related questions
What does HTTPS provide over plain HTTP?Which OWASP category covers using libraries with KNOWN CVEs?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseAn IDOR (Insecure Direct Object Reference) attack happens whenWhich mitigation is the SINGLE most effective defense against SQL Injection?SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens whenWhat does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?The OWASP 2021 category A04 'INSECURE DESIGN' is a NEW category that addresses