Cross-Site Request Forgery (CSRF) is an attack that tricks a user’s browser into sending an unwanted authenticated request to a web application. It matters because browsers often carry trusted cookies automatically, even when a request was triggered from a malicious page.
What is Cross-Site Request Forgery (CSRF)?
In a CSRF attack, the victim is already logged in to a site, and the attacker causes the browser to submit a request the site interprets as legitimate. This can lead to unwanted account changes, transactions, or administrative actions if the application lacks proper request validation.
What Cross-Site Request Forgery (CSRF) Commonly Supports
Common defenses include anti-CSRF tokens, SameSite cookies, origin validation, reauthentication for sensitive actions, and stricter session controls.
Cross-Site Request Forgery (CSRF) vs. Cross-Site Scripting (XSS)
CSRF abuses the browser’s trust in the site. XSS injects malicious script into the site or page context itself.
Frequently Asked Questions
Why is CSRF dangerous?
Because the forged request may look fully authenticated if the browser automatically includes the user’s session state.
Does SameSite replace CSRF defenses entirely?
No. It helps significantly, but strong request validation and action protections still matter.
Related Cybersecurity Terms
