RadarTrek
Home/Glossary/Cross-Site Request Forgery (CSRF)
Security

Cross-Site Request Forgery (CSRF)

CSRF

An attack that tricks a logged-in user's browser into submitting a request they never intended to make.

Reviewed by the RadarTrek editorial team · June 2026

CSRF exploits the fact that browsers automatically attach cookies to requests, regardless of which site triggered them — so a malicious page can submit a form to your app, and the victim's browser sends their session cookie right along with it. Defences include CSRF tokens tied to the user's session, and `SameSite` cookie attributes that stop cookies from being sent on cross-site requests in the first place.

Why it matters

  • Unlike XSS, CSRF doesn't need to read any data — it just needs to make the victim's browser perform an action while authenticated.
  • `SameSite=Lax` or `Strict` cookies block most CSRF by default in modern browsers, but APIs called from other origins still need explicit tokens.
  • State-changing requests (anything that writes data) need CSRF protection — read-only GET requests generally don't carry the same risk.

Where to learn this

🎓

CSRF and API Security

Web Security for Builders course

This is the exact lesson that covers this term in depth — with examples, diagrams, and a hands-on exercise.

Related terms

RadarTrek Intel — monthly score updates

We track 40+ tools so you don't have to. Score changes, new tools, and new guides — once a month, no spam.