Rescue CSRF state token review

securityEXTREMESECURITY DEBUGGING

Rescue CSRF state token review

Extreme Security Basics arena: same-site cookies, state tokens, origin checks, and replay resistance

XP reward

585

Coins

Target time

75m

Mission locked

Missing prerequisites: security-easy-csrf-state-token

A settings update endpoint is protected by login but not by a trustworthy state-changing request guard. You are working inside a secure engineering review room, and the arena only clears when the result is safe, deterministic, and explainable.

Learning objective

Learn to apply same-site cookies, state tokens, origin checks, and replay resistance in a secure engineering review room while explaining the invariant, safety constraints, and hidden edge cases.

Mission order

Requests contain cookies, origin headers, form payloads, and optional anti-CSRF tokens. Minimize blast radius, make the result auditable, and explain the tradeoff you chose. Submit the solution plus enough reasoning to pass hidden edge cases.

Visible checks

reproduces the reported failure

Expected: minimal failing case

adds a regression test

Expected: test fails before fix

Clear requirements

Demonstrates same-site cookies, state tokens, origin checks, and replay resistance
Handles the visible sample and hidden edge cases
Keeps output deterministic and explainable
Avoids unsafe dynamic execution

Secure validation contract

Judge type

SECURITY DEBUGGING

Complexity target

Minimal reproduction, source-cause fix, and regression test

Workspace

Code editor

locked