{ "slug": "csrf", "term": "Cross-Site Request Forgery (CSRF)", "category": "security", "difficulty": "intermediate", "short": "A forged request tricks an authenticated user's browser into performing an unintended action on a site they're logged into.", "long": "CSRF exploits the browser's automatic inclusion of session cookies. An attacker hosts a page with a hidden form or image tag that sends a state-changing request to the target site. The victim's browser attaches their valid session cookie, so the server treats it as legitimate. Mitigation requires a per-session, per-form unpredictable token that the attacker cannot know — validated server-side with a constant-time comparison.", "aliases": [ "Cross-Site Request Forgery", "XSRF", "sea-surf" ], "tags": [ "owasp-top10", "browser", "authentication", "cwe-352" ], "misconception": "HTTPS prevents CSRF. CSRF exploits the browser's automatic cookie sending and works over HTTPS just as well as HTTP. SameSite cookies and CSRF tokens are the actual mitigations.", "why_it_matters": "CSRF tricks authenticated users into submitting requests they never intended — transferring money, changing passwords, or deleting accounts. A missing CSRF token on a state-changing endpoint is a critical vulnerability regardless of how complex the authentication is.", "common_mistakes": [ "Protecting POST routes but forgetting PUT, PATCH, and DELETE — all state-changing methods need tokens.", "Validating the token exists but not validating it matches the session — presence check alone is useless.", "Disabling CSRF middleware globally in API routes and forgetting the app also serves browser clients.", "Using a static, never-rotating token — tokens must be per-session and ideally per-request." ], "when_to_use": [], "avoid_when": [], "related": [ "hash_equals", "random_bytes", "session" ], "prerequisites": [ "session", "http_methods_idempotency", "same_site_cookie" ], "refs": [ "https://owasp.org/www-community/attacks/csrf", "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "https://cwe.mitre.org/data/definitions/352.html" ], "bad_code": "// No CSRF token — any site can submit this form on behalf of the user\nRoute::post('/account/delete', [AccountController::class, 'destroy']);", "good_code": "// Laravel — CSRF middleware applied globally, @csrf in every form\n
\n @csrf\n \n
\n\n// For APIs: use SameSite=Strict cookies + verify Origin header\nif ($_SERVER['HTTP_ORIGIN'] !== 'https://yourapp.com') {\n http_response_code(403); exit;\n}", "quick_fix": "Add SameSite=Lax to session cookie and include a per-session CSRF token in every state-changing form", "severity": "high", "effort": "medium", "created": "2026-03-13", "updated": "2026-04-19", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/csrf", "html_url": "https://codeclaritylab.com/glossary/csrf", "json_url": "https://codeclaritylab.com/glossary/csrf.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Cross-Site Request Forgery (CSRF)](https://codeclaritylab.com/glossary/csrf) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/csrf" } } } }