What Is CSRF?
Cross-Site Request Forgery
CSRF (Cross-Site Request Forgery) tricks a user's browser into making unwanted requests to a site where they're already authenticated. If you're logged into your bank and visit a malicious page, that page could submit a transfer request using your session cookie — without your knowledge.
How CSRF Works
A malicious page contains: <img src='https://bank.com/transfer?to=attacker&amount=10000'>. Your browser sends the request with your bank's session cookie. The bank processes it because the cookie is valid. CSRF tokens prevent this — each form includes a unique token the server validates.
Key Concepts
- CSRF Token — A unique, unpredictable value included in forms — the server rejects requests without a valid token
- SameSite Cookies — Cookie attribute that prevents browsers from sending cookies in cross-site requests
- Double Submit Cookie — Alternative CSRF protection — compare a cookie value with a request header value
Frequently Asked Questions
Do SPAs need CSRF protection?
If using cookies for auth, yes. If using Authorization headers with JWTs, CSRF isn't a risk because the browser doesn't automatically attach the token. SameSite=Strict cookies also mitigate CSRF.