Question

A developer is working on a single-page application (SPA) that uses a JavaScript frontend to interact with stateless RESTful APIs for state-changing operations like profile updates. The application currently relies on session cookies for authentication and is vulnerable to Cross-Site Request Forgery (CSRF) attacks. The developer needs to implement a CSRF mitigation technique that:

Does not require storing additional state on the server.
Integrates seamlessly with the existing JavaScript frontend and stateless APIs.
Ensures that CSRF tokens cannot be predicted or forged by attackers.

Which of the following is the BEST solution for the developer to implement?

quizzes.technology · Accepted Answer

Include a custom request header with a secret value in all state-changing requests from the JavaScript frontend, verifying its presence on the server to enforce the same-origin policy

quizzes.technology · Answer

Use the double-submit cookie pattern, storing a CSRF token in a cookie and also sending it as a request parameter, validating that both values match on the server

quizzes.technology · Answer

Implement the synchronizer token pattern by generating CSRF tokens on the server and embedding them in hidden fields or meta tags, validating them on subsequent requests

quizzes.technology · Answer

Set the SameSite attribute to Strict on all session cookies to prevent them from being sent with cross-site requests, thereby mitigating CSRF

🛡️ Free practice test question from: CSRF mitigation (Security+)

Question: 95

Question: 198

Question: 162

💬 Discussion and Feedback

Comments