Back to Prompts
Package 4 prompts

CSRF Protection Prompts

AI prompts for csrf protection from the LearnWithHasan AI Coding Building Blocks (Security).

#1 Coding Assistant

Turn On CSRF Protection for My Forms

Start here. Turning protection on for server-rendered forms is usually a two-line change From the CSRF Protection AI Coding Building Block.

Prompt 
Add CSRF protection to my [Django / Rails / Laravel / Express] app and show me the form changes I need to make.

I want you to:
1. Confirm whether CSRF middleware is already enabled by default in my framework
2. Show me the exact line(s) I need to add to each HTML form to include the token
3. Explain what happens on submit when the token is missing or wrong (what status code, what error message)
4. Tell me how to test it: one request with the token (should succeed), one without (should get rejected)

My stack: [your framework and version here]
Form page I want to protect: [path or URL]

I am learning, so explain each part simply.
#2 Coding Assistant

Add CSRF to My AJAX / JSON API Calls

For SPAs that still use session cookies, this is the standard pattern From the CSRF Protection AI Coding Building Block.

Prompt 
My [React / Vue / plain JS] frontend makes AJAX requests to my [Django / Rails / Express] backend using session cookies. Set up CSRF protection for these requests.

Walk me through:
1. The double-submit cookie pattern: server sets a CSRF cookie, frontend reads it and sends it back in a header like X-CSRF-Token
2. Exactly where to set the cookie on the backend and how to read it in the frontend
3. Which fetch/axios interceptor to add so I do not have to remember the header on every call
4. What the server should do when the header is missing or does not match (reject with 403)

My stack: [your backend and frontend frameworks here]

Show working code for one endpoint end to end. I am learning, so explain each part simply.
#3 Coding Assistant

Add SameSite Cookies as a Second Line of Defense

SameSite on session cookies blocks the browser from sending them on cross-site requests, belt and braces with CSRF tokens From the CSRF Protection AI Coding Building Block.

Prompt 
I already have CSRF tokens turned on. Now I want to harden my session cookies with the SameSite attribute as defense in depth.

Explain and then change my config so that:
1. My session cookie is set with SameSite=Lax (or Strict, and you tell me which fits my app)
2. I understand what each value means: None / Lax / Strict, and what breaks with each
3. I know which cross-origin requests will stop working after the change (for example, logins via an external link)
4. My cookie is also marked Secure and HttpOnly where appropriate

My stack: [your framework here]
Do I have any third-party sites that POST to me legitimately? [yes/no, details]

I am learning, so explain each part simply and call out any surprise that might break users.
#4 Coding Assistant

Audit My App for Missing CSRF Protection

Run this periodically or after any route change. csrf_exempt is usually the bug From the CSRF Protection AI Coding Building Block.

Prompt 
Review my app for endpoints that change state but might be missing CSRF protection.

Here is my route list / URL config:
[paste your routes, urls.py, or route file here]

For each endpoint, tell me:
1. Does it change state (POST, PUT, PATCH, DELETE, or a state-changing GET)?
2. Does it rely on a session cookie for auth? (If yes, CSRF applies. If it is a bearer-token API only, CSRF does not apply.)
3. Is CSRF middleware covering it? Or has someone @csrf_exempt-ed it? (flag every exemption)
4. For endpoints that should be protected but are not, show me exactly what to add.

Framework: [your framework here]

I am learning, so explain each finding simply, and be blunt about anything that looks risky.
34 views