Cross-Site Request Forgery (CSRF), also known as session riding or one-click attack, is a web security vulnerability in which an attacker tricks an authenticated user into unknowingly submitting a malicious request to a web application on which that user is already logged in.
To understand how CSRF works, it helps to consider how browsers handle authentication. When a user logs into a website, the server typically issues a session cookie that the browser stores and automatically attaches to every subsequent request made to that domain. A CSRF attack exploits this behavior by luring the victim into visiting a malicious page or clicking a crafted link that silently triggers a request to the target site. Because the browser automatically includes the session cookie, the server receives what appears to be a legitimate, authenticated request and processes it accordingly.
The consequences of a successful CSRF attack can be severe. Depending on the privileges of the targeted user, an attacker might change account settings, transfer funds, alter email addresses, or perform any action the user is authorized to take. The attack is particularly insidious because the victim often has no indication that anything has gone wrong.
How CSRF is Prevented
The most widely adopted defense is the use of CSRF tokens, also called anti-CSRF tokens or synchronizer tokens. When a server renders a form or prepares a state-changing request, it generates a unique, unpredictable token and associates it with the user's session. The client must include this token with any subsequent request that modifies state. Because a malicious third-party site cannot read the token from another domain, it cannot forge a valid request. This mechanism is recommended by OWASP, the Open Web Application Security Project, as a primary countermeasure.
A complementary approach relies on the SameSite cookie attribute, a browser-level control that restricts when cookies are sent along with cross-site requests. Setting a cookie to SameSite=Strict prevents the browser from including it in any cross-origin request, effectively neutralizing most CSRF attack vectors. The SameSite=Lax setting offers a more permissive middle ground, allowing cookies on top-level navigations while blocking them on embedded cross-site requests. Modern browsers support this attribute by default, making it a valuable layer of defense even without server-side token logic.
Additional mitigations include verifying the Origin and Referer HTTP headers to confirm that requests originate from an expected source, and requiring re-authentication for sensitive operations such as password changes or financial transactions. At the network level, a Web Application Firewall (WAF) can be configured to detect and block suspicious cross-origin request patterns.
CSRF is categorized as a broken access control issue and has historically appeared in the OWASP Top 10 list of critical web application security risks. Understanding it is fundamental to building secure web applications, particularly those that rely on cookie-based authentication.