Update rec for CSRF Token Not Unique Per Request

submissions/description/cross_site_scripting_xss/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/recommendations.md

@@ -2,7 +2,14 @@
 
 A Cross-Site Request Forgery (CSRF) token should be included within all relevant requests. The CSRF token needs to be unpredictable, tied to a user's session, strictly validated before actions are executed, and not be stored within cookies.
 
-CSRF tokens can be used to prevent CSRF attacks by making it near impossible for a malicious attacker to predict and construct a valid HTTP request of a user because they don't know the value of the CSRF token. Therefore, any request that a malicious attacker attempts to construct will not have all of the necessary parameters for the application to validate and execute the request.
+Some other best practices include the following:
+
+- Ensure that the framework is using built-in or existing CSRF prevention protections that exist within most major frameworks
+- Use the `SameSite` cookie attribute, which can have the values of `Lax`, `Strict`, or `None`. For example:
+
+    ``` HTTP
+    Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict
+    ```
 
 For more information, please see: