Code Room
CodingMediumcod-g1111
Subject AuthLevel Mid–Senior~20 minCommon in Security interviewsIndustries Software development

Question

Validate a CSRF double-submit-cookie defense. Given the token value from the cookie, the token value submitted in the request (header or form field), and a set of HTTP methods considered safe (e.g. ['GET','HEAD','OPTIONS']), return True if the request should be allowed. Safe methods are always allowed regardless of tokens. For unsafe methods, both tokens must be present (non-empty) and equal under a constant-time comparison. Return False otherwise.

Implement
csrf_ok(method: str, cookie_token: str, request_token: str, safe_methods: list[str]) → bool
Examples
in["POST","abc123","abc123",["GET","HEAD","OPTIONS"]]outtrue
What a strong answer looks like

State your approach and its time/space complexity out loud before you optimize. Handle the edge cases (empty input, duplicates, overflow), and say why you chose this over the brute force. Green tests are the floor, not the grade.

Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.

Run or narrate your approach, then ask the coach.