.ns { max-width: 760px; margin: 0 auto; padding: 60px 32px; font-family: Inter, sans-serif; color: #f4f4ee; } .ns h1 { font-family: Fraunces, Georgia, serif; font-size: 44px; letter-spacing: -.025em; margin: 16px 0 18px; line-height: 1.08; } .ns h2 { font-family: Fraunces, Georgia, serif; font-size: 26px; letter-spacing: -.015em; margin: 32px 0 12px; } .ns p { font-size: 16px; line-height: 1.7; color: rgba(244,244,238,.8); margin: 0 0 18px; } .ns .meta { font-family: 'JetBrains Mono', monospace; font-size: 11px; letter-spacing: .14em; text-transform: uppercase; color: #c5ff4a; margin-bottom: 8px; } .ns nav a { color: #c5ff4a; text-decoration: none; margin-right: 12px; } .ns nav { font-family: 'JetBrains Mono', monospace; font-size: 11px; letter-spacing: .12em; text-transform: uppercase; padding: 18px 0; border-top: 1px solid rgba(255,255,255,.1); border-bottom: 1px solid rgba(255,255,255,.1); margin: 32px 0; }

Web Application Security · 2024-06-02 · Karthik R.

CSRF After SameSite: Is It Really Dead?

SameSite=Lax-by-default killed most CSRF. Most. Subdomain trust, GET-with-side-effects, JSON-body CSRF and the two-minute window all still bite. A 2024 refresher.

The full article renders with JavaScript enabled. The summary above is provided for accessibility and indexing.