Cross-Site Request Forgery (CSRF) is an attack that tricks a victim’s browser into sending an unintended, state-changing request to a trusted site in which the victim is already authenticated. Because browsers automatically include session cookies, authentication headers and other credentials with every request to the site’s origin, the forged request is processed with the victim’s privileges, enabling actions such as changing account details, performing transactions or altering application state without the user’s knowledge. CSRF exploits the implicit trust a server places in a user’s browser rather than exploiting a flaw in the user’s session itself, making it particularly insidious for applications that rely solely on cookies for session management.

Remediation

The primary defence against CSRF is to require an explicit, verifiable token or check that cannot be guessed or reproduced by an attacker: each state-changing form or request should include a cryptographically strong, unpredictable value that the server validates against the user’s session and rejects if it is missing or incorrect. Modern frameworks often provide built-in CSRF middleware that inserts and validates such tokens automatically; ensure it is enabled for every unsafe HTTP method (typically `POST`, `PUT`, `PATCH` and `DELETE`). Complement this with the `SameSite` attribute on cookies—ideally set to `Strict` or at least `Lax`—so cookies are not sent with cross-site requests, and with re-authentication or multi-factor confirmation for sensitive operations. Where appropriate, employ custom request headers or double-submit cookies for API endpoints, and always maintain the principle of least privilege so that even a successful CSRF attempt can execute only limited, non-destructive actions.