Cross-Site Request Forgery (CSRF) Protection

Cross-Site Request Forgery (CSRF) Protection

Cross-Site Request Forgery (CSRF) tricks an authenticated user into unknowingly submitting a request to a web application where they are already authenticated. The attacker's site causes the victim's browser to make a request that the server accepts as legitimate — potentially changing passwords, transferring funds, or modifying data.

How CSRF Works

When a user is logged into your application and visits an attacker's malicious website, the attacker's page can automatically submit a form or make a request to your application. The user's browser automatically includes their session cookies, so your server accepts the request as authenticated.

Prevention Techniques

• CSRF tokens (synchroniser tokens): A secret, unique token tied to the user's session is embedded in every state-changing form. The server validates the token on submission — the attacker cannot know the token value.
• SameSite cookie attribute: Setting SameSite=Strict or Lax on session cookies prevents them from being sent with cross-origin requests in modern browsers — the most effective modern defence
• Double-submit cookie pattern: For APIs, a random value is sent both as a cookie and in a header — cross-origin requests cannot set custom headers
• Custom request headers: AJAX requests with custom headers cannot be made cross-origin without CORS pre-flight, providing inherent CSRF protection

Modern Framework Support

Most modern frameworks include CSRF protection. We ensure it is enabled and correctly configured — default configurations can sometimes be inadvertently disabled.