CSRF

how does a csrf attack work

https://github.com/pillarjs/understanding-csrf#how-does-a-csrf-attack-work

why does csrf work?

A CSRF attack works because browser requests automatically include all cookies including session cookies.

how to mitigate

https://github.com/pillarjs/understanding-csrf#how-to-mitigate-csrf-attacks

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

implementations

cookie + token: https://security.stackexchange.com/questions/51188/cookiesession-based-csrf-protection