csrf
Safeguard articles tagged "csrf" — guides, analysis, and best practices for software supply chain and application security.
14 articles
Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared
None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.
CSRF in Node.js: attack mechanics and modern mitigation
Express has never shipped CSRF protection in core, and its most popular middleware, csurf, was archived in 2022 — here's what actually replaces it.
A hardening guide to securing Flask applications
Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.
Preventing CSRF and XSS in ASP.NET Core
How CSRF and XSS actually work against ASP.NET Core apps, and the concrete defenses, antiforgery tokens, Razor output encoding, CSP, and SameSite cookies, that shut them down.
What is CSRF (Cross-Site Request Forgery)?
CSRF makes a logged-in user's browser perform actions they never intended — changing an email, moving money, granting access — using the victim's own session. Here's how it works and how to stop it.
PHP Laravel security best practices
One line, `protected $guarded = [];`, can turn a Laravel signup form into an admin-account minting machine — here's how to lock down five real Laravel risk areas.
Cookie Security Best Practices (2026)
Session cookies are the keys to your users' accounts. Here is how to set them so they cannot be stolen, forged, or leaked: the flags, the prefixes, and the parsing pitfalls.
What is Cross-Site Request Forgery (CSRF)
CSRF forges an authenticated request using a victim's own session cookie. Learn how it works, real Gmail/YouTube cases, and how to detect and fix it.
CSRF Modern Forms: Griffin AI vs Mythos
CSRF in 2026 is not the 2012 attack. SameSite cookies, fetch metadata, and modern frameworks changed the landscape. Detection needs to keep up.
Django CSRF protection and common session security miscon...
Django's CSRF defaults are solid, but wildcards, exempted webhooks, and reordered middleware quietly undo them. Here's where django csrf misconfiguration actually happens.
Cross-site request forgery (CSRF) explained
CSRF forges authenticated requests using a victim's own session cookies. Learn how real attacks against Netflix and uTorrent worked, and how to stop them.
Harbor CSRF Token Bypass Enabling Session Hijack (CVE-202...
CVE-2022-31663 let attackers bypass Harbor's CSRF protections to hijack authenticated sessions. Here's the impact, affected versions, and how to remediate.