From f54e40e0ce926855a618237dbcce782d313b13e7 Mon Sep 17 00:00:00 2001
From: Ryan Rudder <96507400+RRudder@users.noreply.github.com>
Date: Fri, 5 May 2023 13:38:52 +1000
Subject: [PATCH] Update rec for CSRF Token Not Unique Per Request

---
 .../csrf_token_not_unique_per_request/recommendations.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/submissions/description/cross_site_scripting_xss/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/recommendations.md b/submissions/description/cross_site_scripting_xss/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/recommendations.md
index d7eeff6c..dcce2062 100644
--- a/submissions/description/cross_site_scripting_xss/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/recommendations.md
+++ b/submissions/description/cross_site_scripting_xss/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/recommendations.md
@@ -2,7 +2,14 @@
 
 A Cross-Site Request Forgery (CSRF) token should be included within all relevant requests. The CSRF token needs to be unpredictable, tied to a user's session, strictly validated before actions are executed, and not be stored within cookies.
 
-CSRF tokens can be used to prevent CSRF attacks by making it near impossible for a malicious attacker to predict and construct a valid HTTP request of a user because they don't know the value of the CSRF token. Therefore, any request that a malicious attacker attempts to construct will not have all of the necessary parameters for the application to validate and execute the request.
+Some other best practices include the following:
+
+- Ensure that the framework is using built-in or existing CSRF prevention protections that exist within most major frameworks
+- Use the `SameSite` cookie attribute, which can have the values of `Lax`, `Strict`, or `None`. For example:
+
+    ``` HTTP
+    Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict
+    ```
 
 For more information, please see: