In across-site request forgery (CSRF) attack, an attacker tricks the browser into making an HTTP request to the target site from a malicious site. The request includes the user's credentials and causes the server to carry out some harmful action, thinking that the user intended it.

A CSRF attack is possible if a website:

• Uses HTTP requests to change some state on the server
• Uses only cookies to validate that the request came from an authenticated user
• Uses only parameters in the request that an attacker can predict

There are several defenses against CSRF attacks, includingCSRF tokens, usingfetch metadata to block certain cross-site requests, andsetting theSameSite attribute on cookies used to authenticate sensitive requests.

See also

• Cross-site request forgery
• Cross-Site Request Forgery Prevention Cheat Sheet atowasp.org