Cross-Site Request Forgery (CSRF)
CSRFAn attack that tricks a logged-in user's browser into submitting a request they never intended to make.
Reviewed by the RadarTrek editorial team · June 2026
CSRF exploits the fact that browsers automatically attach cookies to requests, regardless of which site triggered them — so a malicious page can submit a form to your app, and the victim's browser sends their session cookie right along with it. Defences include CSRF tokens tied to the user's session, and `SameSite` cookie attributes that stop cookies from being sent on cross-site requests in the first place.
Why it matters
- —Unlike XSS, CSRF doesn't need to read any data — it just needs to make the victim's browser perform an action while authenticated.
- —`SameSite=Lax` or `Strict` cookies block most CSRF by default in modern browsers, but APIs called from other origins still need explicit tokens.
- —State-changing requests (anything that writes data) need CSRF protection — read-only GET requests generally don't carry the same risk.
Where to learn this
CSRF and API Security
Web Security for Builders course
This is the exact lesson that covers this term in depth — with examples, diagrams, and a hands-on exercise.