Block Old Browsers if You Use SameSite Cookies to Prevent CSRF

One way to mitigate CSRF attacks is to only allow cookies to be forwarded along with a request if they are from the same site, SameSite=Lax or SameSite=Strict. However, not all browsers support this setting yet.

If you are relying on this browser behavior then you need to block requests from old browsers—roughly 10% of the market. Otherwise, someone could perform a CSRF attack using an old browser.

See also:

  • One way to secure web-based refresh tokens is set it in a SameSite cookie
  • How Refresh Tokens Work

    A refresh token in an OAuth setup using Json Web Tokens (JWT) is used to request a new access token. Because access tokens are short lived (to minimize the impact of a token being exfiltrated), a long lived refresh token is commonly used to, for example, stay logged into an app rather than need to log in every n minutes (the length of the access token).