GLOSSARY / Cross-Site Request Forgery (CSRF)
What is Cross-Site Request Forgery (CSRF)?
An attack that tricks a logged-in user’s browser into sending an unwanted authenticated request.
CSRF abuses the fact that browsers automatically attach cookies to requests. A malicious page can silently submit a form or request to a site where the victim is authenticated, performing actions as them (CWE-352).
It is defeated by anti-CSRF tokens and the SameSite cookie attribute.
How to defend
Use unpredictable per-request CSRF tokens, set cookies to SameSite=Lax/Strict, and verify the Origin/Referer header.
Related free tools
Related terms
Part of the Ciphers Security glossary. Free reference for analysts, defenders & learners.