SameSite is a promising cookie option that can mitigate the chances of being vulnerable to a CSRF attack.
The latest version of the Cookie library supports this option, and you can start using it in Yesod apps if you manually pull in that version. For example in a stack.yml:
You can write some middleware to mark sessions as SameSite:
Here's an example App instance:
I've submitted a PR to add a helper for this.