Techniques are described for providing an application programming interface (API) architecture that is capable of supporting cross-site request forgery (CSRF) protection with an attribute flag in a cookie, for client devices that utilize a stateless user session to interface with an API gateway. A client device may transmit session requests received by an API gateway. The API gateway may generate a session, and a cookie including session properties associated with the session. The cookie may further include the attribute flag associated with a CSRF token. By transmitting the cookie with the attribute flag to the client device, the client device may receive and insert the cookie into subsequent requests to indicate a requirement that the subsequent requests be accompanied by the CSRF token. In this way, the API gateway may utilize the attribute flag indicating the requirement for the CSRF token to protect the client device from malicious attacks.