CSRF attacks
Definition
SRF (Cross-Site Request Forgery) attacks involve tricking authenticated users into unknowingly performing actions on a web application. The attacker exploits the trust between the victim's browser and the application to execute unauthorized actions.
The classic example is a victim receiving an email containing an image tag that secretly initiates a fund transfer request to an attacker's website. When the victim's browser loads the image, it sends a request to the attacker's site with the victim's session cookie. As a result, funds are transferred from the victim's account to the attacker's account without the victim's knowledge or consent. This demonstrates how CSRF attacks exploit trust to perform unauthorized actions on web applications.
Security risks
The security risks related to CSRF attacks can be significant:
How to prevent it
There is 2 solutions that can be used altogether to prevent CSRF attacks :
- Implement anti-CSRF tokens: Include a unique and random token in each HTML form or request that modifies state on the server. The token should be validated before processing the request, ensuring that it originated from the correct page and not an attacker.
Anti-CSRF token are implemented in most of frameworks.
But you often need to enable them and enable the CSRF check.{.is-info}
Do not use
None
attribute as it enables the use of the cookie in cross site request, no matter the origin.{.is-danger}