What is CSRF and how do you prevent it?

Question

Accepted Answer

**CSRF (Cross-Site Request Forgery)** tricks a logged-in user's browser into making **unwanted requests** to a site where they're authenticated — performing actions (transfers, changes) without their consent, exploiting the browser's automatic sending of credentials/cookies. ## How CSRF works ```text The attack exploits that browsers AUTO-SEND cookies (incl. session cookies) with requests: 1. a user is LOGGED IN to a site (has a session cookie) 2. the user visits a MALICIOUS page (or clicks a crafted link) 3. that page makes a request to the target site (e.g. a hidden form auto-submitting) 4. the browser AUTOMATICALLY includes the user's session cookie → the site thinks it's a legitimate request from the user → performs the action (transfer money, change email) → the user unknowingly performs an action they didn't intend. ``` ```html ``` ## Prevention ```text ✓ CSRF TOKENS → a unique, unpredictable token per session/form that the server verifies; the attacker's site can't know it → the forged request fails (the primary defense) ✓ SameSite COOKIES → SameSite=Lax/Strict → cookies NOT sent on cross-site requests → blocks CSRF (now a strong, default-ish browser defense) ✓ Check Origin/Referer headers; require re-authentication for sensitive actions ✓ Don't use GET for state-changing actions (use POST/PUT/DELETE properly) → Frameworks often provide CSRF protection built in — enable/use it. ``` ## Why it matters Understanding CSRF and how to prevent it is valuable because it's a **common web vulnerability** that exploits how browsers work, allowing attackers to perform actions as authenticated users, so it's important security knowledge for web developers. Understanding **how CSRF works** — exploiting that browsers **automatically send cookies** (including session cookies) with requests, so a malicious page can trigger a request to a site where the user is logged in, and the browser includes the session cookie, making the site treat the forged request as legitimate and perform the action (transfers, account changes) without the user's consent — is necessary to grasp this subtle but dangerous attack. CSRF is dangerous because it can perform sensitive actions as the victim without their knowledge, and it's a common web vulnerability. Understanding the **prevention** is essential: **CSRF tokens** (a unique, unpredictable token per session/form that the server verifies — the attacker's site can't know it, so forged requests fail; the primary traditional defense), **SameSite cookies** (setting SameSite=Lax/Strict so cookies aren't sent on cross-site requests, now a strong browser-level defense that's increasingly default), checking Origin/Referer headers, requiring re-authentication for sensitive actions, and not using GET for state-changing operations. Understanding that **frameworks often provide CSRF protection built in** (which should be enabled and used) is practically important. The combination of CSRF tokens and SameSite cookies provides robust protection. Since CSRF is a common web vulnerability exploiting browser behavior to perform unwanted actions as authenticated users, and since understanding how it works and how to prevent it (CSRF tokens, SameSite cookies, framework protections) is important for web developers, understanding CSRF and its prevention is valuable, practically-relevant security knowledge — an important web vulnerability to understand and defend against, where the defenses (CSRF tokens and SameSite cookies) are key knowledge for protecting users from being tricked into unwanted actions, a notable attack class for any web application with authenticated state-changing operations.