How does Remix handle cookies and CSRF protection?

Remix has a built-in CSRF protection mechanism for actions (form submissions). Since Remix actions use HTTP POST with form submissions, they are protected against CSRF by default via the browser's same-origin policy for form submissions (forms can only POST to their origin). For API-style actions where the request comes from JavaScript: Remix provides createCSRFTokenPair or you can use remix-utils's CSRF utilities. Cookie handling in Remix: read cookies: request.headers.get("Cookie"). Parse with Remix's createCookie: const userCookie = createCookie("user", { secure: true, httpOnly: true, sameSite: "lax" }); const value = await userCookie.parse(request.headers.get("Cookie"));. Set cookies: return a response with Set-Cookie header. sameSite: "strict" or "lax" provides CSRF protection for browser-initiated requests. For SPA-like fetcher calls, implement additional token validation if required by security policy.