mediumWeb Fundamentals

Cross-Site Request Forgery (CSRF) Attacks

Learn the interview-ready mental model, practical trade-offs, and production patterns for this web fundamentals topic.

TL;DRCSRF tricks authenticated users into performing unwanted actions. Protect with CSRF tokens + SameSite cookies.

High Signal

Google

1How CSRF Attacks Work

The attacker creates a malicious page that makes a request to the victim's authenticated site. The browser automatically includes cookies, making the request appear legitimate.

1. User logs into trusted site (bank.com) → Session cookie is set

2. User visits attacker's site (attacker.com)

3. Attacker's page auto-submits form or triggers request to bank.com

4. Browser sends request WITH cookies → Server processes it as valid

2CSRF Token Protection

Server generates a unique token per session, includes it in forms, and validates it on state-changing requests.

1. Server generates CSRF token and stores in session

2. Token is added as hidden field in forms

3. User submits form → Token sent with request

4. Server validates token matches session → Process request

5. Attacker cannot forge valid token

Key Takeaways

✓CSRF exploits authenticated sessions via forged requests
✓Always protect POST, PUT, DELETE, and PATCH endpoints
✓CSRF tokens are the most reliable defense
✓SameSite=Strict/Lax cookies provide strong additional protection
✓Use framework CSRF middleware when available
✓Never use GET for actions that change state

mediumWeb Fundamentals

Cross-Site Request Forgery (CSRF) Attacks

Learn the interview-ready mental model, practical trade-offs, and production patterns for this web fundamentals topic.

TL;DRCSRF tricks authenticated users into performing unwanted actions. Protect with CSRF tokens + SameSite cookies.

High Signal

Google

1How CSRF Attacks Work

The attacker creates a malicious page that makes a request to the victim's authenticated site. The browser automatically includes cookies, making the request appear legitimate.

1. User logs into trusted site (bank.com) → Session cookie is set

2. User visits attacker's site (attacker.com)

3. Attacker's page auto-submits form or triggers request to bank.com

4. Browser sends request WITH cookies → Server processes it as valid

2CSRF Token Protection

Server generates a unique token per session, includes it in forms, and validates it on state-changing requests.

1. Server generates CSRF token and stores in session

2. Token is added as hidden field in forms

3. User submits form → Token sent with request

4. Server validates token matches session → Process request

5. Attacker cannot forge valid token

Key Takeaways

✓CSRF exploits authenticated sessions via forged requests
✓Always protect POST, PUT, DELETE, and PATCH endpoints
✓CSRF tokens are the most reliable defense
✓SameSite=Strict/Lax cookies provide strong additional protection
✓Use framework CSRF middleware when available
✓Never use GET for actions that change state

Topic content

1How CSRF Attacks Work

2CSRF Token Protection

3SameSite Cookie Protection

Topic content

1How CSRF Attacks Work

2CSRF Token Protection

3SameSite Cookie Protection