Cross-Site Request Forgery (CSRF)

What it is

Cross-site request forgery (CSRF) is a web vulnerability that abuses the implicit trust a web application places in a user's browser. When a user is authenticated, their browser automatically attaches cookies, headers, or client certificates to every request sent to that domain. An attacker can craft a malicious webpage or email that silently causes the victim's browser to submit a crafted request—such as changing an account email or initiating a funds transfer—to a legitimate application. Because the request carries valid authentication artifacts, the application interprets it as coming from the user. CSRF typically targets state-changing actions, particularly in apps that rely solely on cookie-based sessions without additional anti-forgery tokens or same-site cookie attributes. Single-page applications are also at risk when they expose cross-origin endpoints without verifying request intent. Although the vulnerability has been known for decades, subtle implementation flaws and complex browser behaviors keep CSRF relevant across e-commerce, banking, and administrative portals.

Why it matters

Exploiting CSRF can lead to unauthorized transactions, privilege escalation, or account takeover. Financial services, healthcare portals, and SaaS administration consoles are frequent targets because a single forged request can cause irreversible harm or regulatory violations.

How to reduce risk

• Require unpredictably generated anti-CSRF tokens on state-changing requests and validate them server-side.
• Set cookies with the SameSite=strict or lax attribute and ensure APIs validate Origin and Referer headers.
• Adopt content security policies and avoid embedding sensitive actions inside third-party iframes.
• Provide explicit logout controls and educate users to avoid multitasking while logged into sensitive systems.