CSRF

CSRF (Cross-Site Request Forgery) is an attack where a malicious site causes a victim’s browser to issue an authenticated request against a target site, leveraging the cookies the browser automatically attaches.

Classic example: you’re logged into bank.example.com. You visit evil.example, which contains <img src="https://bank.example.com/transfer?to=attacker&amount=1000" />. Your browser dutifully sends the request with your bank session cookies. The bank, unable to distinguish the legitimate origin, processes the transfer.

Modern defences:

• SameSite cookie attribute (default Lax in modern browsers) — blocks cookies from cross-origin POST requests.
• CSRF tokens — random server-issued tokens included in forms, checked on submit. Industry standard for decades.
• Origin/Referer header validation — defence in depth.
• Bearer-token authentication (in headers, not cookies) — immune to CSRF by default.

Modern frameworks (Django, Rails, Spring) ship CSRF protection enabled by default. The 2020 default-Lax cookie change effectively eliminated CSRF for most modern apps without any code changes.