CSRF vs XSS mitigation
Slap yourself if
You treat CSRF and XSS as interchangeable or think fixing one meaningfully protects you from the other.
Why this exists
Because teams routinely deploy the wrong mitigation, feel safe, and then get breached by the attack they didn’t actually defend against.
Mental model
CSRF abuses ambient authority. XSS injects authority. One exploits trust in requests; the other compromises the execution context itself.
- CSRF causes a trusted browser to send an unintended request.
- XSS causes attacker-controlled code to execute in a trusted origin.
- CSRF relies on cookies being sent implicitly.
- XSS bypasses most request-level defenses entirely.
- Adding CSRF tokens and assuming XSS is now less dangerous.
- Relying on SameSite cookies as a complete CSRF solution.
- Using output encoding inconsistently and calling it XSS mitigation.
- Thinking CORS protects against XSS.
CSRF exploits the browser’s automatic credential sending, while XSS compromises the execution context; they require fundamentally different mitigation strategies.
- Calls them both request forgery.
- Claims CSRF tokens help against XSS.
- Mentions CORS for XSS defense.
- Focuses on tools instead of threat models.
Deep dive
Requires Pro
Premium deep dives include more internals, more scars.