Identify sensitive actions that rely on cookie-based authentication and test for CSRF token presence and validation. - Test whether the SameSite cookie attribute is set and whether it effectively prevents cross-origin requests. - Pay attention to state-changing GET requests (if any exist) — these ar