<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "What role does a CSRF token play in preventing unauthorized requests?", "acceptedAnswer": { "@type": "Answer", "text": "A CSRF token is a per-session or per-request unguessable secret that must be sent with any state-changing call. Because an attacker’s page can’t read your origin to obtain or compute the token, forged requests won’t include a valid token and the server rejects them." } }, { "@type": "Question", "name": "How does a typical CSRF attack flow occur, and how can developers break it?", "acceptedAnswer": { "@type": "Answer", "text": "An attacker page triggers a cross-site “simple” request; the browser auto-attaches cookies; the server accepts it and mutates state. Break the flow by requiring a CSRF token, validating Origin/Referer, avoiding state changes on GET, using SameSite cookies, and forcing CORS preflight for JSON or custom headers." } }, { "@type": "Question", "name": "Are there alternatives to CSRF tokens for securing state-changing requests?", "acceptedAnswer": { "@type": "Answer", "text": "Alternatives include Origin/Referer validation, strict SameSite cookie policies, enforcing CORS preflight via non-simple headers or JSON, and step-up authentication (e.g., WebAuthn, re-entering a password, OTP). Tokens are still the most portable defense; combine them with origin checks for layered protection." } }, { "@type": "Question", "name": "Can modern frameworks like React or Angular mitigate CSRF without manual token handling?", "acceptedAnswer": { "@type": "Answer", "text": "Frameworks don’t change browser trust boundaries. Some libraries can read a CSRF cookie and send a header automatically, but your server must still issue and verify the token. Real CSRF defense lives on the server—token generation, binding, and enforcement." } }, { "@type": "Question", "name": "How does the SameSite cookie policy help defend against CSRF attacks?", "acceptedAnswer": { "@type": "Answer", "text": "SameSite=Lax withholds cookies on most cross-site subrequests and only sends them on top-level safe navigations (like GET). SameSite=Strict is tighter; None; Secure sends in all contexts. SameSite reduces ambient authority but isn’t sufficient alone—still require CSRF tokens and origin checks for state changes." } } ] } </script>
products
Back
products
A stack of blue books with the words cdn 1 and cdn 2.
Virtual Edge
Full Control. One Platfrom.
Controls all your CDN with IO river.
An image of a blue globe with a line going around it.
Virtual CDN
SIngle CDN. Built by Many.
One endpoint for all.
Solutions
Back
By Industry
Streaming
one line description for the
Ad
one line description for the
Media Publishers
one line description for the
Gaming
one line description for the
by need
Cost Reduction
one line description for the
Redundancy & Availability
one line description for the
CDN Migration
one line description for the
Unified Security Solution
one line description for the
Resources
Back
Resources
Resources Library
Case Studies
Blogs
Documentation
queries
Questions
Glossary
FAQ
Company
Back
About company
About Us
Events
Customers Stories
Careers
SUpport
Contact Us
Security passport
News
PricingPartners
Glossary
Cross-site Request Forgery

Cross-site Request Forgery

Roei Hazout

Ever logged into a website to check your bank account balance or update your social media profile, only to realize later that something strange happened? Maybe a payment you didn't authorize went through, or a post appeared on your timeline that you never created. If so, you might have been the victim of a Cross-Site Request Forgery (CSRF) attack.

CSRF exploits a loophole in how web browsers handle requests. By tricking you into clicking a link or visiting a malicious website, attackers can manipulate your browser into unknowingly performing actions on trusted websites where you're already logged in. 

What is Cross-site Request Forgery (CSRF)?

Cross-site Request Forgery exploits the trust a website has in the user’s browser. When you're logged into a site, it recognizes your browser as authenticated, often for convenience, so you don't have to sign in every time you visit. A CSRF attack leverages this trust by using a different website to send a request to the website where you are authenticated. The catch is, this request is something you never approved.

For example, if you’re logged into your online banking, CSRF could trick your browser into making a transfer to another account without your permission. It’s like someone else using your hand to sign a check. CSRF vulnerability is a significant concern in web security because it can be executed without downloading malware or using sophisticated hacking techniques.

{{cool-component}}

How Does Cross-site Request Forgery Work?

To fully grasp this concept of ‘how does CSRF work’, think of it as someone secretly controlling your actions on a website. This type of attack happens in stages, typically starting with the attacker preparing a malicious website or a link that contains harmful code.

  1. Session Riding: Once you log into a website, a session is established between your browser and the website. This session is maintained by session cookies that remember your identity without needing you to re-login every time you make a request.
  2. Crafting Malicious Requests: The attacker then crafts a malicious request (like a forged form submission or script) that looks like a legitimate request to the website.
  3. Tricking the User: The next step involves tricking you into visiting the attacker's prepared web page or clicking a malicious link. This can be achieved through various means, such as sending an email, displaying ads, or embedding the link in a different website.
  4. Automatic Execution: If you interact with the content (by clicking a link or loading the attacker’s page), the malicious request is automatically sent to the target website. Because your browser is still logged into the target site, it mistakenly considers this request as coming from you.
  5. Action Completion: The website receives the forged request and processes it as if it were a legitimate action initiated by you. This could be anything from changing your account password, making a purchase, or any other action that you can perform on the website.

What is the Impact of a CSRF Attack?

The simplicity and effectiveness of CSRF attacks make them especially dangerous. The impact largely depends on the nature of the actions that the CSRF attack forces the user to perform.

  1. Stolen Money: On financial sites or online stores, CSRF attacks can trigger unauthorized transactions. Imagine money being transferred out of your account, unwanted items being purchased, or billing information being changed – all without your knowledge!
  2. Account Takeover: Attackers can exploit CSRF attacks to alter your account settings or details. This could mean a changed email address, password, or security questions, essentially locking you out of your own account.
  3. Data Breach: If the attack manipulates your session, it can steal sensitive information like contact details, credit card info, or even personal identifiers, putting you at risk of identity theft.
  4. Spreading Lies: On social media or blogging platforms, CSRF attacks can be used to post unauthorized content or misinformation. This can damage your personal reputation or an organization's image.
  5. Legal Trouble: Businesses hit by CSRF attacks may violate data protection regulations, leading to hefty fines and a loss of trust from clients and partners.

Which Requests Are Actually CSRF‑Able

A request is CSRF‑able when two things are true:

  1. the browser will auto‑attach ambient credentials (usually cookies) to the target site, and
  2. the request can be launched cross‑site (from an attacker‑controlled page) without user intent being verifiable. This is the heart of cross site request forgery. 

CSRF‑able in Practice

  • State‑changing endpoints. Anything that creates/updates/deletes (payments, email/phone changes, password resets, admin actions). If a GET mutates state, it’s immediately at risk; GET must be side‑effect free.
  • “Simple” cross‑site requests. Browsers allow cross‑site GET/HEAD/POST with simple headers and “simple” content types (application/x-www-form-urlencoded, multipart/form-data, text/plain) without a CORS preflight. That makes them ideal carriers for a forged action.
  • Top‑level navigations. Clicking a link or auto‑submitting a form that navigates the top window to the target origin can send session cookies depending on the cookie’s SameSite policy (e.g., Lax sends on top‑level safe navigations like GET; Strict does not; None; Secure sends on all). If your site mutates state on top‑level GET, you’ve created a CSRF path.
  • Subresource loads. Embedding a target endpoint behind an <img>/<link>/<script> triggers GET requests. If those endpoints mutate state and cookies are included (e.g., cookies set with SameSite=None; Secure), they’re CSRF‑able.
  • XHR/fetch with credentials. Attackers can use withCredentials/credentials: 'include' to attempt cross‑site simple requests with cookies attached. Even if the browser withholds the response due to CORS, the request still hits the server and can change state; unless you require a CSRF token or perform strict Origin/Referer checks.
  • Method tunneling. Frameworks that accept POST _method=DELETE/PUT (or headers that tunnel verbs) can make “unsafe” methods reachable via a simple POST, reopening CSRF paths.
  • Protocol quirks. WebSocket handshakes are GET requests that may carry cookies; without validating the Origin header, you risk CSRF‑style actions (CSWSH) at connection time.

Usually not CSRF‑able (by design)

  • Endpoints that require a non‑simple header (e.g., custom X-CSRF-Token) or Content-Type: application/json and reject others; these force a preflight and block the actual request unless explicitly allowed.
  • APIs authenticated with Authorization: Bearer headers that your own JS adds (rather than cookies). Cross‑site pages cannot add that header and pass CORS/preflight silently.
  • Any state change that requires a fresh, unguessable CSRF security token bound to the user’s session and request context.

If a browser can fire the request from a foreign page and your server would accept it based solely on cookies, the request is CSRF‑able. Require a CSRF token, validate Origin/Referer, and avoid state changes on GET to take it out of play.

CSRF Protection

To protect against Cross-site Request Forgery (CSRF) attacks, there are several effective strategies that developers and website administrators can implement.

Protection Method Description
Token-based Protection Use unique tokens that are generated by the server and included in forms. These tokens must be submitted with each form request, ensuring that the request originates from the site.
SameSite Cookie Attribute This cookie attribute tells browsers to only send cookies with requests initiated from the same origin as the website, thus blocking requests with cookies from external sites.
Double Submit Cookies Generate a cookie and a hidden form field bearing the same value. The server verifies both values match upon form submission to confirm the request's authenticity.
Custom Headers Use custom request headers (e.g., X-CSRF-Token) that are not part of normal browser requests to external sites. These must be explicitly set by the site's JavaScript.
Referer Validation Check the HTTP Referer header of incoming requests to ensure they originate from allowed domains.

Conclusion

To sum it all up, CSRF attacks trick your browser into performing unauthorized actions on trusted websites. They can steal money, data, or damage reputations. Everyone - users and developers - needs to be aware and implement security measures to stay safe online.

FAQs

What role does a CSRF token play in preventing unauthorized requests?

A CSRF token is a per‑session or per‑request unguessable secret that must accompany any state‑changing call. Because an attacker’s page can’t read your origin to steal or compute the token, their forged request will lack a valid token and the server rejects it, preserving user intent.

How does the CSRF attack flow typically occur, and how can developers break it?

In a typical CSRF attack flow, an attacker page triggers a cross‑site “simple” request; the browser auto‑attaches cookies; the server accepts and mutates state. Break it by requiring a CSRF token, validating Origin/Referer, avoiding state changes on GET, using SameSite cookies, and forcing CORS preflight for JSON or custom headers.

Are there alternatives to CSRF tokens for securing state-changing requests?

Yes; Origin/Referer validation, SameSite cookie policies, CORS preflight via non‑simple headers/JSON, and step‑up authentication (e.g., WebAuthn, re‑enter password, OTP) all help. In practice, tokens remain the most portable, framework‑agnostic defense; combine them with origin checks for layered, robust protection.

Can modern frameworks like React or Angular mitigate CSRF without manual token handling?

Frameworks don’t change browser trust; they aren’t security boundaries. Some libraries auto‑read a CSRF cookie and send a header, but your server must issue and verify the token. Treat client helpers as convenience, not protection. CSRF defense ultimately lives on the server: token generation, binding, and enforcement.

How does SameSite cookie policy help defend against cross‑site request forgery attacks?

SameSite=Lax withholds cookies on most cross‑site subrequests and only sends them on top‑level safe navigations (like GET). SameSite=Strict is tighter; None; Secure sends on all contexts. SameSite reduces ambient authority surface, but it’s not sufficient alone; still require CSRF tokens and origin checks for state changes.

Published on:
October 22, 2025
IBC - Mid banner

Related Glossary

See All Terms
IBC - Side Banner
This is some text inside of a div block.
No items found.
100 Causeway St.,
Boston, Massachusetts,
02114 United States
Book a Demo
Solutions
Company
Resources
Products
Legal
Products
VCDNVirtual Edge
Solutions
Redundancy for
Dynamic TrafficCost ReductionMigrationCost OptimizationMigration
Company
About UsNewsroomPartnersContact Us
Resources
BlogGlossaryResources LibraryCustomer Success StoriesFAQEventsQuestionsAPI Documentation
Legal
Privacy PolicyTerms of UseCookies PolicySecurity PassportDPAService Level Agreement
Derech Menachem Begin 127,
Azrieli Center (Triangle Tower),
Tel Aviv - Yaffo, Israel
© All Rights Reserved to IO River LTD 2022 — 2025