Definition
CSRF (Cross-Site Request Forgery) is an attack that tricks a user’s browser into performing an unwanted action on a website where they are currently logged in. The attacker does not need to steal the user’s password. Instead, they exploit the fact that the browser automatically includes authentication cookies with every request to a site. By getting the user to click a disguised link or visit a malicious page, the attacker can trigger actions — like changing an email address, transferring funds, or updating account settings — as if the user performed them intentionally.
Why It Matters
CSRF attacks are dangerous because they exploit legitimate user sessions. If your web application does not defend against them, any logged-in user is a potential victim. A staff member visiting a compromised website on their lunch break could unknowingly trigger changes in your business application running in another tab. The standard defence is a CSRF token — a unique, unpredictable value embedded in every form that the server checks before processing the request. Any reputable web framework includes CSRF protection by default, but it needs to be properly implemented and not accidentally disabled.
Example
An employee is logged into your company’s internal admin panel. They receive an email with an interesting-looking link and click it. The linked page contains a hidden form that automatically submits a request to your admin panel — changing the company’s bank details for supplier payments. Because the employee is logged in, their browser sends the request with valid session cookies, and the admin panel processes it as a legitimate change. CSRF token protection would have rejected the request because the hidden form would not contain the correct token.