CSRF (Cross-Site Request Forgery) is an attack where a malicious site causes a victim’s browser to make an authenticated request to a target site, using the victim’s existing cookies.
The classic attack
- Victim is signed into
bank.comwith a session cookie - Victim visits
attacker.com attacker.comcontains:<form action="https://bank.com/transfer" method="POST"><input name="amount" value="1000"><input name="to" value="attacker"></form><script>document.forms[0].submit()</script>- Browser submits the form, sending the
bank.comcookie along - Bank’s server authenticates the request via the cookie and transfers the money
The attack works because the browser automatically attaches cookies to cross-site requests.
The defense: SameSite cookies
SameSite=Lax (the modern default) blocks the cookie from being sent on cross-site POSTs. The forged form submission reaches the server without authentication and fails. Most classic CSRF is dead in modern browsers.
Residual risk
CSRF can still work:
- On subdomains that share a parent domain (user-hosted content, embeds)
- Via legacy endpoints that accept GET for state changes
- In
SameSite=Nonecontexts (embedded iframes, cross-site flows)
Layered defenses
For state-changing endpoints, add a CSRF token or check the Sec-Fetch-Site header. Both are cheap, both catch what SameSite misses.
CSRF is different from XSS — XSS runs attacker code in your origin, CSRF rides your browser’s authority.
See the full auth glossary for related terms.