Glossary · Definition
CSRF
CSRF (Cross-Site Request Forgery) tricks a logged-in user's browser into making an authenticated request your server can't distinguish from a real one. The attacker doesn't need to read responses — they just need the request to fire and have side effects.
Definition
CSRF (Cross-Site Request Forgery) tricks a logged-in user's browser into making an authenticated request your server can't distinguish from a real one. The attacker doesn't need to read responses — they just need the request to fire and have side effects.
What it means
Classic example: you're logged into bank.com (session cookie set). You visit attacker.com which auto-submits a form to bank.com/transfer with your account as source. The browser dutifully attaches your session cookie. Bank.com sees a valid logged-in transfer request. Without protection, the transfer happens. Defenses: **SameSite cookies** (`Lax` or `Strict`) make the browser refuse to send the session cookie on cross-site form posts — this is now the default for new cookies in modern browsers. **CSRF tokens** include a random per-session value in every state-changing form, which the attacker can't read across origins. **Origin / Referer header checks** as a third defense.
Advertisement
Why it matters
CSRF used to be a top-tier vulnerability; SameSite=Lax-by-default (Chrome 2020+) closed most attack vectors automatically. The remaining risks are GET requests with side effects (anti-pattern — use POST), legacy cookie configurations without SameSite, and applications that accept Authorization headers without their own anti-CSRF check (those don't get cookies, but cross-site fetch with manual auth is still a vector for some setups).
Frequently asked questions
CSRF vs XSS?
XSS runs attacker code in your origin (full read + write). CSRF tricks the user's browser into sending a write-only request from another origin (no read). XSS is strictly worse; CSRF is mostly mitigated by SameSite cookies.
What is SameSite?
A cookie attribute that controls when the cookie is sent on cross-site requests. `Strict` = never. `Lax` = on top-level navigation only (default in modern browsers). `None` = always (requires Secure).
Do I still need CSRF tokens?
Belt-and-suspenders. SameSite=Lax cookies cover the common case, but defense-in-depth (especially for high-value actions like password change, payment, account deletion) means tokens are still standard practice in most frameworks.
Related terms
- DefinitionXSSXSS (Cross-Site Scripting) is a vulnerability where attacker-controlled JavaScript runs in another user's browser, in the context of your site — same domain, same cookies, same localStorage. Result: session theft, data exfiltration, or arbitrary actions taken as the user.
- DefinitionCORSCORS (Cross-Origin Resource Sharing) is a browser mechanism that lets a server explicitly opt in to cross-origin requests. The same-origin policy blocks fetches across origins by default; CORS headers (Access-Control-Allow-Origin, etc.) tell the browser to make exceptions.
- DefinitionOAuthOAuth is the open-standard protocol that lets a user grant a third-party app limited, scoped access to their account at another service — without sharing their password. 'Sign in with Google', GitHub OAuth apps, Slack-to-Notion integrations all run on OAuth 2.0.