Hey Desain, thanks for reading and leaving a comment. I’m glad you bring up the CSRF question. I wanted to include a mention of it, but it’s a whole other topic unto itself. To keep things short, yes, I generally advise on using synchronizer tokens and same-site cookies. I’ve also used double-submit tokens in the past. They all have their pros and cons, and it gets really complicated when you get into caching. OWASP has a great article that goes deeper https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html. Hope you find that helpful.