What Is Cross-Site Request Forgery (CSRF) and Why Should You Care?
- Joha Mahfuz
- Jun 10, 2025
- 2 min read
Updated: Jun 11, 2025
By SecYork,
In the ever-expanding world of web applications, security isn’t just a feature—it’s a necessity. One silent but dangerous web vulnerability that continues to impact modern websites is Cross-Site Request Forgery (CSRF). At SecYork, we believe awareness is the first step toward defense.
What Is CSRF?
Cross-Site Request Forgery (CSRF) is a type of web attack where a malicious website tricks a user’s browser into performing unwanted actions on a different site where the user is already authenticated.
Real-World Analogy:
Imagine you're logged into your bank in one browser tab. In another tab, you visit a malicious site. That site secretly tells your browser:
“Transfer $1,000 from your account to mine.”Because you're still logged in to your bank, your browser complies—without your consent.
How CSRF Works
A typical CSRF attack involves three components:
Victim is logged into a target site (e.g., a banking app).
Attacker sends the victim a malicious link or embeds a request in a web page or email.
The victim unknowingly triggers a request to the target site using their active session.
Example:
htmlCopyEdit
<img src="https://bank.com/transfer?amount=1000&to=attacker" />
When the victim loads this image (or rather, the request), the browser sends the request with cookies/session info, tricking the target site into thinking it was legitimate.
Why Is CSRF Dangerous?
Stealthy: Victims often don’t realize an attack has occurred.
Authenticated Actions: Exploits a user’s trusted session.
Wide Impact: Can affect anything from changing passwords to transferring money or deleting records.
How to Prevent CSRF
Modern web development includes several best practices and countermeasures:
1. Use Anti-CSRF Tokens
Generate a unique token per user/session and include it in every form or API call. The server checks this token before executing the action.
2. SameSite Cookies
Set cookies with the SameSite attribute (Strict or Lax) to restrict cross-site usage.
3. Require Re-authentication for Sensitive Actions
Force users to re-enter passwords for key actions like changing credentials or making payments.
4. Use Strong CORS Policies
Limit who can make cross-origin requests to your backend APIs.
5. Verify HTTP Methods
Use POST/PUT for state-changing operations and reject GET requests that alter data.
Bonus: CSRF vs. XSS
Feature | CSRF | XSS |
Abuses | User’s trusted session | Web app’s trust in user input |
Requires login? | Yes | No |
Attacker’s role | Triggers request via victim's browser | Injects/executes malicious script |
Protection | Tokens, cookies, headers | Input/output sanitization |
Final Thoughts
CSRF attacks highlight the critical need for secure session and request handling in all modern web applications. As businesses increasingly rely on web portals and APIs, defending against CSRF should be a foundational part of your application security strategy.
At SecYork, we help clients perform web app security assessments, implement OWASP Top 10 protections, and train development teams on secure coding.
Ready to secure your app against CSRF and other web threats?👉 Contact SecYork for a free consultation or penetration test quote.
Comments