Skip to content

CSRF protection for cookie-based refresh #2075

New issue
New issue
Open
Open
CSRF protection for cookie-based refresh#2075
Labels
feature: missingmilestone: missingrole: Missingsize: missing
@geolunalg

Description

@geolunalg
geolunalg
opened on Jan 27, 2026

EPIC: Epic: Authentication & Session Management (JWT + Refresh) #2065

Overview

User Story:
As a system, I want to prevent CSRF attacks on endpoints that rely on cookies.

Action Items

Acceptance Criteria:

  • Refresh/logout endpoints are protected by:
    • SameSite cookie settings and/or
    • CSRF token (double submit or header-based)
  • Backend rejects refresh requests missing CSRF proof (if implemented).

Resources/Instructions

REPLACE THIS TEXT - If there is a website that has documentation that helps with this issue provide the link(s) here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature: missingmilestone: missingrole: Missingsize: missing

    Type

    No type

    Projects

    P: VRMS: Project Board

    Status

    New Issue Approval

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions