Jane Doe
Pro Plan
Cross-Site Request Forgery (CSRF) is a type of attack where a malicious website tricks a user's browser into making an unwanted request to a different site where the user is already authenticated.
In other words, the attacker exploits the trust a web application has in the user's browser.
Let’s say you’re logged into bank.com, and you have a cookie in your browser that keeps your session active.
Now, you visit a malicious website evil.com that contains this code:
<img src="https://bank.com/transfer?amount=1000&to=attacker123" />When your browser loads this image, it makes a GET request to bank.com, automatically including your session cookie — just like a normal request from you.
If bank.com doesn’t have CSRF protection, it will think this is a legitimate action by you, and the transfer will succeed.
If the email provider doesn’t verify the authenticity of the request (e.g., using CSRF tokens), you’re compromised.
SameSite=Lax or SameSite=Strict prevents the browser from sending cookies with cross-site requests.| CSRF | XSS | |
|---|---|---|
| Target | Application logic (actions) | The user (via the browser) |
| Attack Vector | A malicious external site | Injected script in trusted site |
| Needs Login? | ✅ Yes | ❌ Not always |
| Prevented by | CSRF tokens, SameSite cookies | Escaping input, sanitizing scripts |
CSRF is dangerous because it exploits authenticated sessions and happens without the user's knowledge. Even though modern browsers are getting better at enforcing cookie policies, developers still need to explicitly implement CSRF protection on the server side.
If your app lets users perform important actions, make sure they’re truly the one requesting it.