What is a CSRF attack?

CSRF initials are Cross-Site Request Forgery.
It is a web security attack where a malicious website tricks a logged-in user's browser into performing an unintended action on another website where the user is already authenticated.

The weakness that is being exploited is in the definition of how browsers treat cookies:

The browser automatically includes cookies (session/auth cookies) with requests, even if the request was triggered by a different site.

Example 1: bank transfer (Classic example)

1️⃣ Normal behavior

You are logged into your bank:

https://bank.com

You are authenticated via a cookie:

Cookie: session=abc123

The bank has an API endpoint called /transfer:

POST /transfer
amount=1000&toAccount=9876

2️⃣ Attacker's website

You visit a malicious website:

https://evil.com

It contains hidden HTML:

<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="toAccount" value="9876">
</form>

<script>
  document.forms[0].submit();
</script>

3️⃣ What happens in your browser

Your browser automatically includes bank.com cookies
The request looks legitimate to the bank
The transfer happens
You never clicked “Transfer”

💥 Attack succeeds

Why CSRF works

CSRF works because:

Cookies are automatically sent
The server cannot tell whether:
- the request came from its own UI
- or from a malicious site

Example 2: changing email/password (also common)

Same idea: let's say facebook has an endpoint /change-email:

POST /change-email
email=attacker@example.com

If unprotected, an attacker can:

Change your email
Reset your password
Take over your account

When CSRF is possible

CSRF attacks are possible when:

Authentication uses cookies (which it often does)
The action has no CSRF protection
The browser can send the request automatically

How to prevent a CSRF attack?

✅ 1. SameSite cookies

The setting that allows or disallows 3rd-party websites to send cookies on your behalf, is called SameSite. And the default setting for SameSite is "lax".

By simply changing the value to "Strict", you can prevent CSRF attacks.

Set-Cookie: session=abc123; SameSite=Strict

Browser won't send cookies on cross-site requests
Very effective modern defense

✅ 2. CSRF tokens (most common)

Server generates a random token
Token is embedded in forms / headers
Server verifies token on every state-changing request

Example:

<input type="hidden" name="csrfToken" value="random123">

If the attacker doesn't know the token → request fails.

✅ 3. Check Origin / Referer headers

Server verifies:

Origin: https://bank.com

Less reliable, but useful as an extra layer.

They are less reliable because browsers may omit them, and servers must decide what to do then. There could be legitimate requests without referrer. For example, Opening a link from bookmarks.

Can an attacker fake these headers? ❌ From a normal browser: NO

A malicious website cannot arbitrarily set or modify:

Origin
Referrer

Browsers forbid JavaScript from controlling these headers.

Example 1: bank transfer (Classic example)​

1️⃣ Normal behavior​

2️⃣ Attacker's website​

3️⃣ What happens in your browser​

Why CSRF works​

Example 2: changing email/password (also common)​

When CSRF is possible​

How to prevent a CSRF attack?​

✅ 1. SameSite cookies​

✅ 2. CSRF tokens (most common)​

✅ 3. Check Origin / Referer headers​