Protect non-idempotent requests with anti-CSRF tokens or SameSite cookies plus origin verification.
Without CSRF defenses, attackers can trigger authenticated state changes from a victim's browser (OWASP A01).
BeforeMerge scans your pull requests against this rule and dozens more. Get actionable feedback before code ships.
Cookie-based sessions are sent automatically with cross-site requests, so a malicious page can make the victim's browser perform authenticated actions. Anti-CSRF tokens (or strict SameSite + origin checks) ensure requests originate from your own app.
// Bad: cookie auth with no CSRF defense on a mutating route
app.post("/transfer", transferFunds);
// Good: require and verify a CSRF token
import csrf from "csurf";
app.post("/transfer", csrf(), transferFunds);