Cross-site request forgery (CSRF)
In a cross-site request forgery (CSRF) attack, an attacker tricks the browser into making an HTTP request to the target site from a malicious site. The request includes the user's credentials and causes the server to carry out some harmful action, thinking that the user intended it.
A CSRF attack is possible if a website:
- Uses HTTP requests to change some state on the server
- Uses only cookies to validate that the request came from an authenticated user
- Uses only parameters in the request that an attacker can predict
There are several defenses against CSRF attacks, including CSRF tokens, using fetch metadata to block certain cross-site requests, and setting the SameSite attribute on cookies used to authenticate sensitive requests.
CSRF Token Example
A typical implementation includes a hidden token in forms:
html
<form action="/transfer" method="POST">
<input type="hidden" name="csrf_token" value="a1b2c3d4e5f6..." />
<input type="text" name="amount" />
<button type="submit">Transfer</button>
</form>
The server validates this token before processing the request.