Recently, I’ve learned that cookies are sent automatically with every request. And this behaviour makes some websites vulnerable to CSRF. From what I’ve learned, CSRF can be prevented by using CSRF tokens that are stored in the client’s JavaScript or Storage APIs, but NOT in the cookies (to prevent it from being sent too).