Understanding CSRF - Cross-Site Request Forgery

Security is a major concern when designing web apps. And I am not talking about DDOS protection, using a strong password or 2 step verification. I am talking about the biggest threat to a web app. It is known as CSRF short for Cross Site Request Forgery.  

What is CSRF?

First thing first, CSRF is short for Cross-Site Request Forgery. It is commonly pronounced as sea-surf and often referred to as XSRF. CSRF is a type of attack where various actions are performed on the web app where the victim is logged in without the victim’s knowledge. These actions could be anything ranging from simply liking or commenting on a social media post to sending abusive messages to people or even transferring money from the victim’s bank account.  

How CSRF works?

CSRF attacks try to bank upon a simple common vulnerability in all browsers. Every time, we authenticate or login to a website, our web browser stores the session cookies. So whenever we make a request to the website, the web browser automatically sends these cookies to the server where the server identifies us by matching the cookie we sent with the server’s records. So that way it knows it’s us.

This means that any request made by me, knowingly or unknowingly, will be fulfilled. Since the cookies are being sent and they will match the records on the server, the server thinks I am making that request.

CSRF attacks usually come in form of links. We may click them on other websites or receive them as email. On clicking these links, an unwanted request is made to the server. And as I previously said, the server thinks we made the request and authenticates it.  

A Real World Example

To put things into perspective, imagine you are logged into your bank’s website. And you fill up a form on the page at yourbank.com/transfer. You fill in the account number of the receiver as 1234 and the amount of 5,000 and you click on the submit button. Now, a request will be made to yourbank.com/transfer/send?to=1234&amount=5000. So the server will act upon the request and make the transfer. Now just imagine you are on another website and you click on a link that opens up the above URL with the hacker’s account number. That money is now transferred to the hacker and the server thinks you made the transaction. Even though you didn’t.

You need to know about it – XSS

Another threat that requires protection against CSRF attack is XSS. Hackers can install malicious code on the website itself and know all about its users, perform administrative actions such as deleting a user, post, product, and so on.

If you have a website, make sure to read this. WordPress is the most popular CMS and it has a ton of security features to keep your site safe. If you use WordPress, be sure to use plugins that receive frequent updates.

Third-party plugin developers often write vulnerable code and unintentionally allow access to hackers. This way, any site administrator

Almost every month, there occurs an incident where security researchers discover vulnerabilities in WordPress plugin that allow such access. Such vulnerabilities are called XSS (Cross-Site Scripting Attack).

The developers of the plugin often forget to authenticate and verify the incoming request. If this happens, then anyone with the URL can send requests with malicious data. It can allow a hacker to install a malicious script on the vulnerable website hence compromise the entire website.

Protection against CSRF

CSRF protection is very easy to implement. It usually involves in sending a token called the CSRF token to the webpage. This token is sent and verified on the server with every new request made. So malicious requests made by the server will pass cookie authentication but fail CSRF authentication. Most web frameworks provide out of the box support for preventing CSRF attacks. Still, third-party plugin developers sometimes forget to use the security mechanism.


CSRF attacks were a big thing 10 years back but today we don’t see too many of them. In the past, famous sites such as Youtube, The New York Times and Netflix have been vulnerable to CSRF. However, the popularity and occurrence of CSRF attacks have decreased lately. Nevertheless, CSRF attacks are still a threat and it is important, you protect your website or app from it.