A reviewer flags that your web app relies only on the SameSite cookie attribute to stop CSRF. Why isn't that enough on its own, and how would you actually protect a state-changing endpoint?

technical-conceptual · Mid level · software-engineering

What the interviewer is really asking

Assesses whether the candidate understands that SameSite is defense-in-depth rather than a complete CSRF control, and can name a real anti-CSRF mechanism appropriate to the architecture (synchronizer token for stateful apps, double-submit cookie or custom header for stateless/API).

What to say

What to avoid

Example answers

Strong: SameSite is good defense-in-depth but not complete: it doesn't help with mutating GET requests and a compromised sibling subdomain can still send cookies, and OWASP says to pair it with a token, not replace one. So for a stateful app I'd add a synchronizer token validated server-side on every POST, and for our JSON API I'd require a custom X-CSRF header plus an Origin check, keeping SameSite=Lax as a second layer.

Weak: We set the cookie to SameSite=Strict, so cross-site requests can't carry the session and CSRF is basically handled — adding tokens on top would just be extra complexity for no real gain.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.