The sole purpose of (secret) CRSF token is to help the application identify authenticated or unauthenticated requests. Any request that doesn’t contain csrf tokens are treated as unauthenticated one thus rejected by the application as the csrf tokens are only available to the authenticated users. But contrary to that, in one application, the csrf tokens are generated before login and worse, it’s not regenerated after successful authentication of the user. This defeats the purpose of anti-csrf approach. Anti-CSRF best practices: Don’t issue csrf tokens before authentication Always regenerate the tokens after successful authentication, if issued before authentication Use POST methods for critical transactions embedding csrf tokens Don’t send the csrf tokens in GET requests as they may reveal it in browser logs etc In few Ruby based apps, where the token was being generated before authentication and same was being...