Problem: Attackers can forge state-modifying requests (team creation, leaderboard changes) from external sites because no CSRF tokens validate requests.
Proposed Solution: Add CSRF token validation to all POST/PUT/DELETE requests, use SameSite cookies, regenerate tokens on sensitive operations.
Problem: Attackers can forge state-modifying requests (team creation, leaderboard changes) from external sites because no CSRF tokens validate requests.
Proposed Solution: Add CSRF token validation to all POST/PUT/DELETE requests, use SameSite cookies, regenerate tokens on sensitive operations.