Understanding CSRF and How to Prevent It in Your Application — Part 1
1 min read
Summary
Cross-Site Request Forgery (CSRF) is an unwanted request made by a user’s already authenticated browser to a website the user is logged in to.
The browser’s default setting of attaching the user’s credentials (such as session cookies) to requests, automatically including them in requests made by the browser, is what allows these unwanted requests.
In part one of this series, the origin of CSRF and how it works is explained, along with a demonstration in a generic bank app.
Malicious sites can trick browsers into sending requests to another site via browsers attaching session cookies to requests, which web servers are unable to distinguish as cross-site requests unless extra measures are taken.
In part two of the series, ways of defending against CSRF attacks, such as SameSite cookies and CSRF token strategies, will be examined.