CSRF for Cookie-Based Auth (Web Apps vs APIs)

CSRF is mainly a problem when: - the browser automatically sends cookies - and your server trusts them for authenticated actions ## Web app using sessions (cookies) CSRF protection is required for state-changing forms: - POST /change-email - POST /delete-account ## API using Authorization header (Bearer token) CSRF is usually not the main issue, because the browser does not automatically attach Authorization headers like cookies. ## Best practice for session-based apps Use: - CSRF token - SameSite cookies (Lax/Strict) - confirm sensitive actions You already learned token validation in php-35, this lesson clarifies where it applies and why. > Next: SameSite, HttpOnly, Secure cookie flags in real deployments.