Cross-Site Request Forgery (CSRF)

Sec+ Glossary 📖 • Web Security 🕸️ • Vulnerabilities 🚨 • Security+ 02 • Difficulty: free

What is Cross-Site Request Forgery (CSRF)?

CSRF is an attack that tricks a signed-in user’s browser into sending unwanted, authenticated requests to a website, causing actions like changing settings or transferring money without the user’s intent.

Examples

While logged in to a banking site, a user visits a malicious page that auto-submits a hidden form to /transfer using the user’s cookie—moving funds to the attacker.
A forum uses GET to perform state changes. An attacker embeds an <img src="https://forum.example.com/moderate?delete=123"> which deletes a post when a moderator views it.

Discover 🔎

Web browsers automatically attach cookies to requests for a site the user is signed in to. CSRF exploits that convenience (ambient authority): a malicious site causes the victim’s browser to send a request to the target site, which arrives with valid cookies and looks legitimate. If the target doesn’t insist on a fresh proof of intent, it may execute the action.

Remember: CSRF is about tricking the user’s browser to act on their behalf—no need to steal the cookie or read the response.

Summary 📝

CSRF abuses the browser’s habit of attaching cookies to cross-site requests. Stop it by requiring a fresh proof of intent (anti-CSRF tokens), limiting cookie sending (SameSite), checking Origin/Referer, and reserving GET for safe reads. For OAuth redirects, validate state. Combine these controls so forged requests are rejected while real user actions still work.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.