CSRF is a

• Client-side issue
• Server-side issue
• Both

The server sets and verifies the CSRF token

CSRF issue that can occur are:

• Missing CSRF token
• CSRF token vulnerable to XSS
• CSRF token is not verified on the server
• CSRF token is too short and guessable
• CSRF token is added twice

I am sneaky because I never talked about it being guessable but you can reason why this is an issue. Tokens being added twice is not really a security issue as long is as it is verified properly.

What are some security tips for CSRF?

• Always scatter CSRF generators and validators
• Check the full parameter and not just part of it
• Perform XSS input validation
• Use a hash comperating function because a normal comperator (such as == ) might open you up to type mismatching attacks
• Bind the CSRF token to the session