FAQ-000044 - API Security Headers / Cookie Security

The requirements for cookie SameSite attributes in cross-site integrations include implementing the SameSite cookie attribute to mitigate CSRF vulnerabilities throughout the application. Alternatively, you can implement a CSRF token on all sensitive, state-changing, and authenticated operations. These measures should be documented and detailed during the review process.

The original answer had minor clarity issues: 'a CSRF token can be implemented' was changed to 'you can implement a CSRF token' for more direct language following the brand guidelines to be conversational and use active voice. 'state changing' was corrected to 'state-changing' for proper hyphenation of compound modifiers. 'listed and detailed' was simplified to 'documented and detailed' to be more precise about what's actually needed during review. These changes improve readability while preserving all original information and technical accuracy. For security rules selected: ApexCSRF is directly relevant because this FAQ discusses CSRF mitigation requirements, and the rule detects CSRF vulnerabilities in Apex code - the FAQ's mention of 'CSRF token...on all sensitive, state changing, and authenticated operations' directly relates to what this rule helps identify. VfCsrf is relevant because it detects CSRF vulnerabilities in Visualforce pages, and cross-site integrations often involve Visualforce components - the FAQ's discussion of 'cookie SameSite attributes in cross-site integrations' and 'CSRF vulnerabilities throughout the application' encompasses the Visualforce security concerns this rule addresses.