CSRF - Cross-Site Request Forgery Explained
About 2 min read
CSRF (Cross-Site Request Forgery) is an attack in which an attacker makes a user send an unintended, malicious request to a web service the user is already authenticated with. Because it abuses the credentials (cookies) of the service the user is logged into, the request is processed as if the user had performed the action themselves. Alongside XSS, it is one of the most representative web application attacks. As of 2025, major frameworks (Django, Rails, Next.js) include CSRF protection by default, yet implementation gaps in API endpoints and SPAs continue to be reported.
Real-World Use Cases
"During a vulnerability assessment, we found that the shipping-address change API of an e-commerce site had no CSRF protection implemented. If an attacker prepared a trap page, they could change a logged-in user's shipping address to any address they wanted."
The Flow of a CSRF Attack
The Mechanism of a CSRF Attack
The attacker prepares a trap web page and embeds in it a request to a service the user is logged into. For example, if a user views the attacker's page while still logged in to a bank site, the browser automatically sends a money-transfer request to the bank site. Because the browser sends cookies automatically, the bank site cannot distinguish the request from one made by a legitimate user. web security books on Amazon will help you learn the details of the attack.
Real-World Damage Scenarios
There are cases where, while logged in to an e-commerce site, clicking a link planted by an attacker changes the shipping address to the attacker's address. There have also been reports of damage where viewing a trap page while logged in to a social network results in unintended posts or follows. When combined with session hijacking, the damage becomes even more serious. In online banking, CSRF protection for money-transfer operations is especially important.
Defense Techniques
On the developer side, the standard measure is to embed a CSRF token (a random, unique value) in forms and verify it when the request is made. Setting the SameSite cookie attribute can restrict cross-site cookie transmission. On the user side, the basics are to develop the habit of logging out after important operations and to avoid clicking suspicious links. Protecting your account with a strong random password and enabling multi-factor authentication can mitigate the damage should the worst happen. secure web development guides (Amazon) are also helpful references.
Was this article helpful?