rulesSource-backedReview first Safety ✓ Privacy ✓

AI-Generated CSRF Protection Review Rules

Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions.

by jaso0n0818·added 2026-06-22·

Claude Code

HarnessClaude Code

Install

Source

You are reviewing AI-generated code for cross-site request forgery (CSRF) risk.

Rules:
1. Identify every state-changing operation and confirm it uses POST, PUT,
   PATCH, or DELETE — never GET or HEAD — so it cannot be triggered by a
   simple link, image, or prefetch.
2. For any endpoint authenticated by cookies, require a CSRF defense: a
   synchronizer (anti-CSRF) token, a double-submit cookie, or a verified
   origin, not ambient cookies alone.
3. Validate the anti-CSRF token server-side on every unsafe request, compare
   it with a constant-time check, tie it to the user session, and reject when
   it is missing, empty, or mismatched.
4. Set session and auth cookies with SameSite (Lax or Strict) plus Secure and
   HttpOnly, and treat SameSite as defense in depth, not the only control.
5. Validate the Origin header (and fall back to Referer) against an allowlist
   for unsafe requests, and reject cross-site origins rather than trusting a
   missing header.
6. Confirm the token is never leaked in a URL, log, or referer, and that
   login, logout, and password or email change flows are themselves protected.

Readiness

TrustReview first
Sourcesource-backed
Safety notesPresent
ReviewedYes

Documentation Source repository Registry JSON · LLM text

Review first — review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Canonical URL: https://heyclau.de/entry/rules/ai-generated-csrf-protection-review-rules
Source URLs: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/ai-generated-csrf-protection-review-rules.mdx
Safety notes: A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies., AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request., Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.
Privacy notes: CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues., Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers., Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.
Author: jaso0n0818
Submitted by: jaso0n0818
Claim status: unclaimed
Last verified: 2026-06-22

Safety notes

A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies.
AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request.
Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.

Privacy notes

CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues.
Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers.
Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.

Prerequisites

A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated.
Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks.
Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods.
Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.

Schema details

Install type: copy
Troubleshooting: Yes

Collection metadata

Estimated setup: 20 minutes
Difficulty: intermediate

Full copyable content

You are reviewing AI-generated code for cross-site request forgery (CSRF) risk.

Rules:
1. Identify every state-changing operation and confirm it uses POST, PUT,
   PATCH, or DELETE — never GET or HEAD — so it cannot be triggered by a
   simple link, image, or prefetch.
2. For any endpoint authenticated by cookies, require a CSRF defense: a
   synchronizer (anti-CSRF) token, a double-submit cookie, or a verified
   origin, not ambient cookies alone.
3. Validate the anti-CSRF token server-side on every unsafe request, compare
   it with a constant-time check, tie it to the user session, and reject when
   it is missing, empty, or mismatched.
4. Set session and auth cookies with SameSite (Lax or Strict) plus Secure and
   HttpOnly, and treat SameSite as defense in depth, not the only control.
5. Validate the Origin header (and fall back to Referer) against an allowlist
   for unsafe requests, and reject cross-site origins rather than trusting a
   missing header.
6. Confirm the token is never leaked in a URL, log, or referer, and that
   login, logout, and password or email change flows are themselves protected.

About this resource

Purpose

Use these rules when an AI coding assistant writes or edits code that performs a state-changing action for an authenticated user. The goal is to stop a generated handler or form from shipping a cross-site request forgery hole just because it works in tests and looks like ordinary request handling.

This is a review policy, not a CSRF tutorial. It tells reviewers what must be true about a generated change's request methods, token handling, cookie posture, and origin checks before the change is safe to merge.

Review Inputs

Collect enough context to know how the request is authenticated and what it does.

The HTTP method and route of every handler the change adds or edits.
How the user is authenticated on that route: cookie-based session, bearer token in a header, or something else.
Whether the framework has built-in CSRF protection and whether this route opts in or out of it.
The cookie attributes set for session and auth cookies (SameSite, Secure, HttpOnly).
Whether the operation changes server state or is purely read-only.

State-Changing Method Rules

Treat any operation that creates, updates, deletes, or otherwise changes state as unsafe and require POST, PUT, PATCH, or DELETE.
Never perform a state change on GET or HEAD; those can be triggered by a link, image, prefetch, or preload without any script.
Do not rely on a hidden form field or request body alone to make a GET "non-idempotent"; the method itself must be unsafe.
Make read endpoints side-effect free so they do not need CSRF defenses and cannot be abused as state changes.

Token And Origin Rules

For cookie-authenticated unsafe requests, require a synchronizer (anti-CSRF) token or a double-submit cookie; ambient session cookies are not a defense.
Generate tokens with a cryptographically secure random source, tie them to the user session, and make them unpredictable.
Validate the token server-side on every unsafe request using a constant-time comparison, and reject when it is missing, empty, or mismatched.
Validate the Origin header against an allowlist for unsafe requests, falling back to Referer, and reject cross-site or missing origins rather than trusting them.
For AJAX/fetch APIs, a required custom header (for example X-Requested-With or X-CSRF-Token) adds a check that simple cross-site form posts cannot set.

Cookie And Session Rules

Set session and auth cookies with SameSite=Lax or SameSite=Strict, plus Secure and HttpOnly.
Treat SameSite as defense in depth, not the only control: Lax still allows top-level GET navigation and enforcement varies across clients.
Prefer non-cookie credentials (a bearer token sent in an Authorization header) for pure APIs, since they are not attached automatically cross-site.
When both a cookie session and a token exist, confirm the unsafe path actually checks the token and does not silently accept the cookie alone.

Merge Blockers

Block merge when any of these is true.

A state-changing operation is reachable over GET or HEAD.
A cookie-authenticated unsafe request has no anti-CSRF token, double-submit cookie, or verified origin.
A CSRF token is generated but never validated server-side, or is compared with a non-constant-time check.
Session or auth cookies are set without SameSite and without any compensating CSRF control.
Login, logout, or password/email change flows lack CSRF protection.
The token is exposed in a URL, log line, or referer-leaking link.

Review Checklist

{"task": "Unsafe methods only", "description": "Every state change uses POST/PUT/PATCH/DELETE, never GET or HEAD"}
{"task": "CSRF defense present", "description": "Cookie-authenticated unsafe requests require a token, double-submit cookie, or verified origin"}
{"task": "Token validated", "description": "The anti-CSRF token is checked server-side with a constant-time comparison and tied to the session"}
{"task": "Cookies hardened", "description": "Session/auth cookies set SameSite, Secure, and HttpOnly"}
{"task": "Origin checked", "description": "Origin/Referer is validated against an allowlist for unsafe requests"}
{"task": "Sensitive flows covered", "description": "Login, logout, and credential-change flows are CSRF protected and tokens never leak"}

AI Review Rules

AI assistants can write and review request handlers, but they should show their evidence.

Ask the assistant to list every state-changing route in the change and its HTTP method before judging safety.
Require the assistant to state how each cookie-authenticated route is protected against CSRF rather than only confirming the happy path works.
Have the assistant show where the token is generated, where it is validated, and that the comparison is constant time.
Do not let the assistant claim SameSite cookies alone make a route CSRF-safe.
Re-run review after any change to authentication, cookie attributes, request methods, or token handling.

Troubleshooting

The form submits but the action never fires cross-site: that is expected when CSRF protection works; confirm a forged cross-site request is rejected, not just that the legitimate form succeeds.
The token check passes with an empty token: the validator is likely treating missing or empty as valid; reject empty, missing, and mismatched tokens explicitly.
It works in tests but not in the browser: tests may send the token automatically; verify a real cross-site request without the token is blocked.
SameSite seems to break a legitimate redirect flow: prefer Lax for session cookies and keep a token check rather than dropping SameSite entirely.

Duplicate And History Check

Before adding or changing CSRF handling, confirm the framework does not already provide protection that this change is bypassing. Many frameworks enable CSRF middleware by default; a generated handler that opts out, disables the middleware, or rolls its own token should be treated as suspicious. Check whether an existing shared helper already issues and validates tokens before introducing a parallel mechanism.

Defense Reference

Defense	What it stops	Caveat
Synchronizer token	Forged cross-site unsafe requests	Must be validated server-side every time
Double-submit cookie	Same, without server-side token store	Cookie must not be readable cross-site
SameSite cookies	Cookies sent on cross-site requests	Lax allows top-level GET; enforcement varies
Origin/Referer check	Requests from other origins	Referer can be absent; allowlist required
Custom request header	Simple cross-site form posts	Only helps for fetch/XHR clients

Sources

OWASP Cross-Site Request Forgery Prevention Cheat Sheet
OWASP CSRF attack reference
MDN Web Docs: CSRF glossary and SameSite cookies
CWE-352: Cross-Site Request Forgery
PortSwigger Web Security Academy: CSRF

#csrf #web-security #authentication #cookies #ai-generated-code #code-review

Source citations

Source methodology →

Add this badge to your README

Show that AI-Generated CSRF Protection Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

[![Listed on HeyClaude](https://heyclau.de/badge/rules/ai-generated-csrf-protection-review-rules.svg)](https://heyclau.de/entry/rules/ai-generated-csrf-protection-review-rules)

How it compares

AI-Generated CSRF Protection Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field	AI-Generated CSRF Protection Review Rules Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions. Open dossier	Privacy Metadata Rules Source-backed rules for AI workflow directories that need consistent privacy metadata before accepting entries that touch prompts, files, local tools, hosted services, telemetry, generated artifacts, or personal data. Open dossier	AI Assistant Secret Handling Rules Source-backed rules for AI coding assistants that must avoid exposing, copying, logging, committing, or normalizing secrets while editing code, configs, tests, prompts, documentation, and CI workflows. Open dossier	AI-Generated Path Traversal Review Rules Source-backed rules for reviewing AI-generated file-handling code for path traversal before merge, covering canonical path validation, safe root confinement, upload filename sanitization, archive extraction limits, and privacy-safe test evidence. Open dossier
Trust
Install risk	Review first	Review first	Review first	Review first
Notes	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓
Brand	—	—	—	—
Category	rules	rules	rules	rules
Source	source-backed	source-backed	source-backed	source-backed
Author	jaso0n0818	MkDev11	MkDev11	jaso0n0818
Added	2026-06-22	2026-06-04	2026-06-04	2026-06-19
Platforms	Claude Code	Claude Code	Claude Code	Claude Code
Source repo	—	—	—	—
Safety notes	✓A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.	✓Privacy metadata is a reviewer aid, not proof that a workflow is safe or compliant for every jurisdiction or organization. Escalate entries that touch regulated data, customer records, credentials, browser state, production systems, or private repositories. Do not let generated descriptions replace source-backed privacy notes; require the submitter to identify actual data paths.	✓Treat any discovered credential as compromised until an owner confirms it is fake, expired, or rotated. Do not ask the assistant to test live production credentials, print secrets for debugging, or copy token values into issue comments, PR bodies, generated docs, fixtures, or screenshots. Block merge when generated artifacts, logs, snapshots, notebooks, lockfiles, or config examples include real-looking secrets or private identifiers.	✓Path traversal lets an attacker read or overwrite arbitrary files including configuration, credentials, and source code, so a single unvalidated path open can compromise the host. AI assistants frequently join user input with os.path.join or Path / without confirming the result stays inside the root, which looks correct for normal filenames but traverses on dot-dot sequences. Archive extraction without per-entry path validation is a well-known zip-slip variant that can overwrite any file the process can reach.
Privacy notes	✓CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.	✓The review itself can expose private repo names, tool config, prompt examples, customer-like fixtures, logs, screenshots, or vendor account details. Avoid copying secrets, private prompts, personal data, or proprietary datasets into public metadata examples. Record unknowns honestly instead of filling gaps with guessed retention, sharing, or telemetry behavior.	✓Secrets often appear next to private account IDs, customer names, repository paths, internal hostnames, prompt text, and incident context; redact surrounding context, not only the token. A model transcript, debug log, trace, or review comment can become a secondary copy of a secret even when the code diff is later cleaned. Use synthetic examples such as `EXAMPLE_API_KEY` and document the secret name or storage location without revealing the value.	✓Test cases for path traversal must use synthetic file trees; do not include real credential files, system paths, or personal data as test fixtures. Do not paste actual file contents that were reached during testing into public PR comments; use placeholder content. Be careful with error messages that include the resolved path, since they can expose internal directory structure to an attacker.
Prerequisites	A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated. Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks. Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods. Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.	A directory entry or submission that describes an AI workflow, tool, MCP server, hook, skill, command, collection, guide, or hosted service. Permission to request edits when privacy notes, source links, data categories, or execution surfaces are missing. Access to source documentation for the tool or workflow, including where it runs and what data it reads or transmits. A review place for recording privacy-relevant assumptions, unknowns, and last-checked dates.	A repository, task, or assistant session that may touch credentials, environment variables, CI secrets, API tokens, private keys, webhook secrets, cookies, sessions, or private identifiers. A known project policy for secret storage, such as environment variables, CI secret stores, local credential helpers, or an approved vault. Permission to stop work, redact content, or request rotation if a real secret is found. Access to a scanner, review checklist, or manual inspection process before committing assistant-generated files.	A pull request, diff, or snippet of AI-generated file-handling code with enough context to know where the path comes from and where it leads. Knowledge of the language's path and file APIs, since canonical resolution and root-confinement APIs differ between runtimes. A sandbox directory where traversal-style test inputs can be exercised without touching system files. Permission to block merge when a path derived from user input is not confined to a known-safe root after canonical resolution.
Install	—	—	—	—
Config	—	—	—	—
Citations	Source repositorygithub.com 2026-06-22T09:58:37-07:00 Documentationcheatsheetseries.owasp.org Submitted by jaso0n08182026-06-22 Source methodology →	Source repositorygithub.com 2026-06-22T09:58:37-07:00 Documentationcheatsheetseries.owasp.org Submitted by MkDev112026-06-04 Source methodology →	Source repositorygithub.com 2026-06-22T09:58:37-07:00 Documentationcheatsheetseries.owasp.org Submitted by MkDev112026-06-04 Source methodology →	Source repositorygithub.com 2026-06-22T09:58:37-07:00 Documentationowasp.org Submitted by jaso0n08182026-06-19 Source methodology →
Claim	Unclaimed	Unclaimed	Unclaimed	Unclaimed