CME-913

CSRF Protection (Anti-CSRF Token & SameSite Cookie Enforcement)

Harden Application High Confidence

Description

Server-side enforcement of anti-CSRF tokens (synchronizer tokens or double-submit cookies) combined with SameSite=Strict or SameSite=Lax cookie attributes on session cookies. For every state-changing HTTP request (POST, PUT, DELETE, PATCH), the server generates a cryptographically random token bound to the user's session, embeds it in forms or response headers, and rejects requests that do not present a valid token. The SameSite cookie attribute provides defense-in-depth by instructing the browser not to send cookies with cross-origin requests. Together, these controls prevent cross-site request forgery by ensuring that state-changing requests originate from the application's own pages, not from attacker-controlled sites.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H The anti-CSRF token is a per-session or per-request cryptographic random value that the attacker cannot predict or obtain cross-origin (blocked by same-origin policy). Exploitation now requires a separate vulnerability (XSS, subdomain takeover) to extract the token, transforming a trivial cross-site form submission into a multi-step attack chain.

CWE Relationships

CWE-940 CWE-352

Verification

Check that the application framework's CSRF middleware is enabled and that session cookies carry the SameSite attribute

$ grep -rn 'csrf\|CsrfViewMiddleware\|csrf_protect\|@csrf_exempt\|antiforgery\|ValidateAntiForgeryToken\|csrftoken' <app_source>/
# Expected: CSRF middleware or token generation present in application code
Platform: any
$ curl -sI http://localhost:8080/login | grep -i 'set-cookie.*samesite'
# Expected: SameSite=Strict or SameSite=Lax
Platform: any
← CME-912: HTTP Header Normalization and Request Smuggling Prevention CME-914: Strict CORS Origin Allowlist Enforcement →