Cross-Site Request Forgery (CSRF) tricks a user’s browser into submitting authenticated actions to a trusted site. Once ubiquitous, modern browsers and frameworks have made the baseline defence far stronger. But CSRF still appears — especially in legacy APIs and apps that mishandle authentication state.

The core attack

User is logged into bank.com (browser holds session cookie). User visits malicious.com. Malicious page includes a hidden form or fetch that POSTs to bank.com/transfer?amount=1000&to=attacker. Browser automatically includes bank.com’s cookie. Transfer executes.

<!-- Malicious page -->
<form action="https://bank.com/transfer" method="POST" id="f">
  <input name="amount" value="10000">
  <input name="to"     value="attacker">
</form>
<script>document.getElementById('f').submit();</script>

Classic CSRF. User never authorised the action, but it executes with their credentials.

SameSite cookies — the modern default defence

Cookie attribute introduced in 2016, now the baseline:

SameSite=Strict — cookie never sent on cross-site requests. Tightest, sometimes breaks OAuth flows.
SameSite=Lax — cookie sent on top-level navigations (links), but not on cross-site POSTs or iframes. Modern default since Chrome 80.
SameSite=None — cookie sent on cross-site requests. Requires Secure. Used for third-party contexts (single sign-on, embeds).

Most auth cookies should be SameSite=Lax; Secure; HttpOnly. Use Strict when no third-party navigation is expected.

Anti-CSRF tokens

Before SameSite, the standard defence. Server generates a random token per session; includes in forms; validates on submission.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

6 more sections locked below

Module 11 · Cross-Site Request Forgery Deep Dive 🔒

The core attack

SameSite cookies — the modern default defence

Anti-CSRF tokens

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 2 · Web Enumeration & Recon <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 7 · Business Logic Flaws <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 4 · SQL Injection in 2026 <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>