CSRF
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/csrf/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>
Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/csrf/
Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/csrf/)
Use the native HTML custom element.
التعريف
تزوير الطلبات عبر المواقع. هجوم يخدع متصفح مستخدم مصادق عليه لإرسال طلب غير مقصود إلى تطبيق ويب. يُمنع باستخدام رموز CSRF المضادة وملفات تعريف الارتباط SameSite والتحقق من رأس Origin.
The Trust Model CSRF Exploits
Cross-Site Request Forgery tricks a victim's browser into sending an authenticated request to a target site without the victim's knowledge. The browser automatically includes cookies — so if the user is logged into their bank, a malicious page can silently transfer funds by loading an invisible image whose src is the bank's transfer endpoint. The server sees a valid session cookie and complies.
Why CORS Doesn't Fully Stop It
CSRF predates CORSCross-Origin Resource Sharing. A browser security mechanism that uses HTTP headers to control which origins (domains) are permitted to access resources from another origin. Essential for modern web APIs that serve cross-domain requests. and exploits a different mechanism. CORS restricts JavaScript from reading cross-origin responses, but CSRF attacks using HTML forms or <img> tags don't need to read responses — they only need the request to fire. A GET endpoint that mutates state is therefore trivially exploitable regardless of CORS policy.
Mitigation Techniques
| Defense | Mechanism |
|---|---|
| CSRF tokens | Unpredictable value in forms, validated server-side |
SameSite cookie attribute |
Browser sends cookie only on same-site requests |
Origin / Referer header validation |
Server rejects requests from unexpected origins |
| Double-submit cookie | Token in both cookie and request parameter |
XSSCross-Site Scripting. A web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can steal session cookies, redirect users, or deface websites; mitigated by output encoding and CSP headers. can defeat CSRF token protections — an attacker who can run JavaScript in the victim's browser can read the token and forge a valid request. This is why XSS prevention is a prerequisite for CSRFCross-Site Request Forgery. An attack that tricks an authenticated user's browser into sending an unintended request to a web application. Prevented by anti-CSRF tokens, SameSite cookies, and verifying the Origin header. defense. Modern frameworks (Django, Rails, Spring) include CSRF middleware by default.