Home/ Glossary/ Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF)

Security Glossary - Web Security

Definition: CSRF is an attack that tricks an authenticated user's browser into making unwanted requests to a web application. If a user is logged into their bank and visits a malicious page, that page can submit a hidden form to the bank's transfer endpoint using the user's existing session cookie, without the user's knowledge.

Why CSRF Matters

CSRF exploits the fact that browsers automatically include cookies with every request to a domain, regardless of which page initiated the request. If your application performs state-changing actions (transfers, settings changes, account deletion) based solely on cookie authentication, it is vulnerable to CSRF.

Modern defenses include SameSite cookies (which prevent cookies from being sent with cross-origin requests), CSRF tokens (unique per-session or per-request tokens that the attacker cannot predict), and checking the Origin/Referer header. SameSite=Lax or SameSite=Strict on session cookies is the simplest and most effective defense.

APIs that use bearer tokens (like JWT in Authorization headers) instead of cookies are inherently immune to CSRF because the token is not automatically included in cross-origin requests. This is one reason token-based authentication has become popular for single-page applications.

How to Check

A security audit checks for SameSite cookie attributes and other CSRF defenses. Verify your session cookies have SameSite=Lax or SameSite=Strict. For applications using cookie-based authentication, also implement CSRF tokens for state-changing endpoints.

See how your site handles CSRF

Run a Security Audit

Frequently Asked Questions

Does SameSite cookies prevent CSRF?
SameSite=Strict prevents all cross-origin cookie sending, effectively eliminating CSRF. SameSite=Lax allows cookies on top-level navigations (like clicking a link) but blocks them on cross-origin form submissions and AJAX requests, preventing most CSRF attacks.
Are APIs vulnerable to CSRF?
APIs using cookie-based authentication can be vulnerable. APIs using Authorization header tokens (like Bearer JWT) are not vulnerable because the token is not automatically sent with cross-origin requests. If your API uses cookies, add CSRF protection.

Related Terms

Cookie Security Flags SameSite Cookie Attribute Cross-Origin Resource Sharing Cross-Site Scripting Security Headers Overview
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.