If you don't rely on a framework to do the heavy lifting for you, or a third party library. As I always say that you have to [understand]() the subject before you abstract it. Here's how to do it manually, but first note that none of the techniques below will work if you're already [XSS]() vulnerable

Since the `Origin` header is being added automatically by browsers as part of the [`CORS`]() mechanism, you can check and validate the header, to check if the request that is coming in, actually comes from you site, block it if it doesn't

Fetch Metadata headers, [introduced]() last year to provide additional context about the resource request. But all you have to know for now is you can use it to to check the origin

Learn more about `Sec-Fetch` headers [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode) and [here](https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header)

As in, user sessions can be managed without a database by storing session information as a [JWT]() or [JWE]() within a [cookie](). To defend against CSRF attacks in this setup, use the "Signed Double Submit Cookie Method.":

This method involves generating a unique and cryptographically secure random value, typically a UUID, when a user first authenticates. This UUID is then embedded within both the payload of the JWT/JWE and the CSRF token. To ensure the integrity and authenticity of the CSRF token, use an [HMAC](https://datatracker.ietf.org/doc/html/rfc2104.html), which you combine a secret key (used for signing/encrypting the JWT/JWE) with a hash function like [Blake3](https://github.com/BLAKE3-team/BLAKE3) or SHA256 (make sure it's not computationally intensive but secure enough) , to produce a fixed-size hash value representing the message's integrity. The HMAC message includes two parts: a new random value for collision avoidance and the shared UUID between the JWT/JWE and the CSRF token.

If you want to see a framework implementation of the synchronized pattern , check out [`Django`]()'s implementation with the CSRF mitigation middleware, you can read the source code [here]().

<H2>Cookies</H2>

- \- Setting the `SameSite` attribute to `Lax` or `Strict` to control cookie behavior in cross-site requests, more [below]().

Also, for enhanced security measures, consider cookie prefixes like `__Host-` and `__Secure-`, read more [here]()

<H3>About "SameSite" Cookies</H3>

Read about [`Lax`]() and [`Strict`]() from the official [RFC](). Here's is basically what they do:

Requiring users to authenticate using their password, biometric data, security questions, or [OTP]() is a highly effective security measure. However, it can significantly impact user experience, so it's typically used only for critical operations like changing passwords or conducting financial transactions. Avoid using CAPTCHA for this purpose, as it's primarily aimed at preventing automated bot attacks and doesn't provide the necessary level of security for these sensitive activities.

And oh yeah, did I mention that for any state changing request, DON'T USE [safe methods]().