CSRF
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/csrf/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>
Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/csrf/
Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/csrf/)
Use the native HTML custom element.
Définition
Cross-Site Request Forgery (Falsification de Requête Inter-Sites). Une attaque qui trompe le navigateur d'un utilisateur authentifié pour qu'il envoie une requête non désirée à une application web. Prévenue par des jetons anti-CSRF, des cookies SameSite et la vérification de l'en-tête Origin.
The Trust Model CSRF Exploits
Cross-Site Request Forgery tricks a victim's browser into sending an authenticated request to a target site without the victim's knowledge. The browser automatically includes cookies — so if the user is logged into their bank, a malicious page can silently transfer funds by loading an invisible image whose src is the bank's transfer endpoint. The server sees a valid session cookie and complies.
Why CORS Doesn't Fully Stop It
CSRF predates CORSCross-Origin Resource Sharing. A browser security mechanism that uses HTTP headers to control which origins (domains) are permitted to access resources from another origin. Essential for modern web APIs that serve cross-domain requests. and exploits a different mechanism. CORS restricts JavaScript from reading cross-origin responses, but CSRF attacks using HTML forms or <img> tags don't need to read responses — they only need the request to fire. A GET endpoint that mutates state is therefore trivially exploitable regardless of CORS policy.
Mitigation Techniques
| Defense | Mechanism |
|---|---|
| CSRF tokens | Unpredictable value in forms, validated server-side |
SameSite cookie attribute |
Browser sends cookie only on same-site requests |
Origin / Referer header validation |
Server rejects requests from unexpected origins |
| Double-submit cookie | Token in both cookie and request parameter |
XSSCross-Site Scripting. A web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can steal session cookies, redirect users, or deface websites; mitigated by output encoding and CSP headers. can defeat CSRF token protections — an attacker who can run JavaScript in the victim's browser can read the token and forge a valid request. This is why XSS prevention is a prerequisite for CSRFCross-Site Request Forgery. An attack that tricks an authenticated user's browser into sending an unintended request to a web application. Prevented by anti-CSRF tokens, SameSite cookies, and verifying the Origin header. defense. Modern frameworks (Django, Rails, Spring) include CSRF middleware by default.