What Is CSRF (Cross-Site Request Forgery)?

Cross-Site Request Forgery (CSRF) is an attack that tricks a logged-in user's browser into sending an unwanted request to a web application where they are authenticated. Because the browser automatically includes session cookies with every request, the server cannot distinguish between a legitimate request and a forged one.

Types of CSRF (Cross-Site Request Forgery)?

GET-based CSRF

Exploits state-changing GET requests via img tags or links.

<img src="https://bank.com/transfer?to=attacker&amount=10000">

POST-based CSRF

Uses a hidden auto-submitting form to send POST requests.

<form action="https://bank.com/transfer" method="POST"><input type="hidden" name="to" value="attacker"><input type="hidden" name="amount" value="10000"></form><script>document.forms[0].submit()</script>

How to Prevent It

// 1. CSRF tokens — unique per session, validated on server
<form method="POST">
  <input type="hidden" name="_csrf" value="random-token-here">
</form>

// 2. SameSite cookies — prevent cross-origin cookie sending
Set-Cookie: session=abc123; SameSite=Strict; Secure; HttpOnly

// 3. Check Origin/Referer headers
if (req.headers.origin !== 'https://yoursite.com') {
  return res.status(403).json({ error: 'CSRF detected' });
}

// 4. Double-submit cookie pattern
// Set a random value in both a cookie and a form field
// Server verifies they match

Real-World Impact

Unauthorized fund transfers, email/password changes, privilege escalation, data deletion. In 2008, a CSRF vulnerability in a major router allowed attackers to change DNS settings, redirecting all traffic through malicious servers.

Related Questions

• What Is Xss
• What Is Clickjacking
• Content Security Policy
• Referrer Policy

Scan your system prompt with LochBot — free, client-side, no data sent anywhere.