Overview
CSRF (pronounced 'sea-surf') exploits the trust that a site has in a user's browser. If a user is logged into a site, an attacker can trick their browser into sending a request to that site (e.g., to change a password or transfer funds) without the user's knowledge.
How it Works
The attacker typically uses a malicious website or email containing a hidden request (e.g., an <img> tag with a src pointing to a sensitive action on the target site).
Prevention
- Anti-CSRF Tokens: Unique, unpredictable tokens included in every state-changing request.
- SameSite Cookie Attribute: Restricting cookies from being sent with cross-site requests.
- Re-authentication: Requiring a password or MFA for sensitive actions.