https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
What “secure by default” should mean in WebEngine.
For normal HTML form posts, the default behavior should be:
- Every rendered HTML page automatically gets CSRF tokens injected into all method="post" forms.
- Every unsafe incoming request is verified before any page logic runs.
- Requests that fail verification are rejected with 403 Forbidden.
- Session cookies default to SameSite=Lax, plus HttpOnly, and Secure when HTTPS is in use.
- As an extra layer, cross-site unsafe requests are blocked using Sec-Fetch-Site when present, with Origin/Referer fallback.
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
What “secure by default” should mean in WebEngine.
For normal HTML form posts, the default behavior should be: