CSRF Double-Submit Cookies: The Underrated Defense for Same-Origin SaaS

The first time a pen tester filed a CSRF finding against a portal I owned, my reaction was the same as everyone else's: "We're SameSite=Lax. Aren't we fine?" We weren't fine. And the fix wasn't the fr