This line is just incorrect: > The only correct CSRF mitigation is a CSRF token Custom headers are better, imho, if you have an ajax-driven app. There is 0 chance of csrf ever happening if you require the session token…
This line is just incorrect: > The only correct CSRF mitigation is a CSRF token Custom headers are better, imho, if you have an ajax-driven app. There is 0 chance of csrf ever happening if you require the session token…