My latest mandatory training:
CSRF can be really bad.

We’ll no fucking shit Sherlock!

Wait what??!!??

I thought CSRF was a web browser feature! Well I'll be damned, such an useful training, this should be mandatory for all employees everywhere every monday!

I know CSRF is bad. Making sure it doesn't happen is a totally different thing.

I hate web dev...

From the following lessons:
- you shouldn't put secrets in the client code
- Passwords shouldn't be readable
- Input should probably not be executed as code unless you really know what you're doing.

It should be a training for everyone to really understand what it is. Its really bad when you hire a penetration testing company with "10+ years of experience" and then their staff comes in and tells you that the GET request which only renders a HTML of the form and nothing else is "vulnerable" because you can "render" that html without an anti-csrf token. :)
Also today you can do full anti csrf protection by just using SameSite=Strict in your cookies, or by not using cookies at all and going full access token and REST. :)