If you are 100% sure all your users are on an evergreen browser then yes. But it's always a good practice to use all the extra security layers to protect your users.
Yes that's very true.
But what stops the attacker from retrieving a fresh csrf token using the /csrf-cookie endpoint? Are there security measures in place?
If they gain access to the cookies then yes. The whole point is just adding more layers of security and following all recommendations and best practices.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Doesn't samesite: lax already protect against csrf tokens on evergreen browsers?
If you are 100% sure all your users are on an evergreen browser then yes. But it's always a good practice to use all the extra security layers to protect your users.
Yes that's very true.
But what stops the attacker from retrieving a fresh csrf token using the /csrf-cookie endpoint? Are there security measures in place?
If they gain access to the cookies then yes. The whole point is just adding more layers of security and following all recommendations and best practices.