The current CSRT token in the OAuth2 filter state is a random string. This can be improved by signing the random string with the HMAC secret, adding protection agains CSRF token forgery.

Originally commented by @denniskniep

#36276 (comment)

Double-Submit Cookie Pattern is discouraged from OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#naive-double-submit-cookie-pattern-discouraged

From my point of view we can look into that later, if we even want to mitigate those threats. I am not sure which risks are accepted by envoy. But those mentioned from OWASP assume that the attacker can access envoys cookies via subdomain-takeover, subdomain-xss or ManInTheMiddle.