CSRF¶

Cookies Security
- HttpOnly
- Secure
- Domain, Path, SameSite
HTML Element
- GET: <img>, <iframe>, <form>
- POST: <form>
JavaScript
- GET/POST: fetch, XMLHttpRequest
Limitation
- CORS
Mitigation
- Same-origin policy (SOP)
  - SameSite cookies explained
  - SameSite Cookie Changes in February 2020: What You Need to Know
- CSRF token