DEV Community

Discussion on: Authentication and Laravel Airlock

Collapse
 
michi profile image
Michael Z

Doesn't samesite: lax already protect against csrf tokens on evergreen browsers?

Collapse
 
themsaid profile image
Mohamed Said

If you are 100% sure all your users are on an evergreen browser then yes. But it's always a good practice to use all the extra security layers to protect your users.

Collapse
 
michi profile image
Michael Z

Yes that's very true.
But what stops the attacker from retrieving a fresh csrf token using the /csrf-cookie endpoint? Are there security measures in place?

Thread Thread
 
themsaid profile image
Mohamed Said

If they gain access to the cookies then yes. The whole point is just adding more layers of security and following all recommendations and best practices.