Do I need CSRF tokens if I have SameSite=Lax?

For most apps, SameSite=Lax alone is sufficient. For apps that handle money, admin actions, or privilege changes, add CSRF tokens as defense in depth.

CSRF

What is CSRF?

Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is an attack where a user visiting a malicious site is tricked into performing an action on your site — like transferring money or changing their email — using their existing login session. The attack works because browsers automatically send your site's cookies with every request, even ones triggered from other sites.

In more detail

A simple CSRF attack looks like this: an attacker hosts a page with `<form action="https://your-bank.com/transfer" method="POST"><input name="to" value="attacker"><input name="amount" value="1000"></form>` and auto-submits it. If the victim is logged into your bank in another tab, the browser sends their session cookie with the forged form submission.

The modern defense is `SameSite` cookies: if your session cookie has `SameSite=Lax`, the browser will not send it with cross-site POST requests. For extra safety on high-value actions, add CSRF tokens as well.

Why this matters

Why builders care

CSRF has become less common because modern browsers default cookies to SameSite=Lax. But apps that explicitly set SameSite=None (for embedded iframes) or use authentication in URL parameters are still vulnerable.

FAQ

Frequently asked questions

Do I need CSRF tokens if I have SameSite=Lax?: For most apps, SameSite=Lax alone is sufficient. For apps that handle money, admin actions, or privilege changes, add CSRF tokens as defense in depth.

Fix guides

Fix CSRF issues

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

CORS credentials misconfiguration

Setting both Allow-Origin: * and Allow-Credentials: true is a dangerous misconfiguration. Here is why browsers block it and how to fix it correctly.

Free tools

Check it yourself

Cookie audit

Check Secure, HttpOnly, and SameSite flags on every cookie.

Related terms

Keep learning

SameSite Cookie Attribute

SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.

Cross-Origin Resource Sharing

CORS is a browser mechanism that controls which websites can call your API. Misconfigurations can open your app to cross-site attacks.

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.