Which of the following techniques ensures the most robust protection against Cross-Site Request Forgery (CSRF) attacks?

Correct option is C

The most robust protection against CSRF attacks involves generating CSRF tokens dynamically for each request and associating them with a user session. This ensures that even if an attacker intercepts or replays a token, it cannot be reused because the token is valid only for the specific session and request.
For example:
1. A unique CSRF token is generated for each session or request.
2. The token is embedded in hidden form fields or included as a custom header for AJAX requests.
3. On submission, the server validates the token and matches it against the stored session data before processing the request.
Important Key Points:
1. CSRF tokens dynamically generated per request/session add a second layer of security by making tokens one-time use.
2. They prevent token reuse in replay attacks, reducing risks from intercepted tokens.
3. Pairing tokens with session data ensures that even if a token leaks, it cannot be exploited unless the session is hijacked.
Knowledge Booster:
· Using HTTP-only cookies for CSRF tokens: While HTTP-only cookies improve token security by preventing client-side script access, they are insufficient alone because they do not prevent CSRF attacks by themselves.
· Embedding CSRF tokens in hidden form fields: This is a common implementation but can be improved with dynamic tokens for every request/session.
· Implementing CAPTCHA along with CSRF tokens: CAPTCHAs protect against automated attacks but do not inherently secure CSRF tokens.
· Restricting CORS policies to specific domains: Restricting CORS prevents unauthorized domains from making cross-origin requests but does not address CSRF attacks for same-origin requests.