Cross-site request forgery (CSRF)

In a cross-site request forgery (CSRF) attack, an attacker tricks the browser into making an HTTP request to the target site from a malicious site. The request includes the user's credentials and causes the server to carry out some harmful action, thinking that the user intended it.

A CSRF attack is possible if a website:

• Uses HTTP requests to change some state on the server
• Uses only cookies to validate that the request came from an authenticated user
• Uses only parameters in the request that an attacker can predict

There are several defenses against CSRF attacks, including CSRF tokens, using fetch metadata to block certain cross-site requests, and setting the SameSite attribute on cookies used to authenticate sensitive requests.

See also

• Cross-site request forgery
• Cross-Site Request Forgery Prevention Cheat Sheet at owasp.org