Skip to main content


Home Cross-site request forgery

Cross-site request forgery

(also CSRF)

Cross-site request forgery definition

Cross-site request forgery (CSRF) is a security vulnerability that allows an attacker to trick a user into unwittingly executing actions on a web application. CSRF involves an attacker creating a replica of a legitimate website, then using the victim’s session cookie to perform actions on the legitimate website (such as transferring money or changing security settings). Cross-site request forgery often involves social engineering techniques, such as sending the victim a link to a fake website.

See also: active attack, social engineering

How cross-site request forgery works

  • The user logs into a legitimate website to access a service or product (e.g., a bank account). The website generates a session cookie and stores it in the user’s browser.
  • The attacker creates a fake website that looks identical to the authentic website. They also include a hidden form that submits a request to the legitimate website.
  • The attacker sends the victim a link to the fake website by email, text, or other means of communication.
  • The victim clicks on the link and goes to the fake website. The fake website submits a request to the legitimate website using the victim’s session cookie.
  • The legitimate website receives the request and assumes it came from the victim because it includes the victim’s session cookie. The website performs the requested action (such as transferring money from the victim’s account).

How to prevent CSRF attacks

  • CSRF tokens: Websites can include unique tokens with each request that the server checks.
  • SameSite cookies: SameSite is a cookie attribute developers use to prevent CSRF attacks. When a cookie has a SameSite attribute, the browser will only send cookies in requests originating from the same website that set the cookie.
  • Referer validation: Websites can check the HTTP referer header of incoming requests to ensure that they originated from the same site. This method could be unreliable because some browsers may block or modify the referer header.