CSRF Protection Explained

Prevent attackers from tricking users into unintended actions — using tokens, cookie attributes, and header verification to validate request origin.

CSRF Protection

Cross-Site Request Forgery (CSRF) protection prevents attackers from tricking authenticated users into performing unintended actions on web applications by using tokens or headers that verify request origin.

Explanation

CSRF attacks exploit the fact that browsers automatically send cookies with every request to a domain. An attacker can embed a form on a malicious site that submits to your application — if a user is logged in, the browser includes their session cookie, and the action executes with their credentials. Protection mechanisms include CSRF tokens (unique per-session tokens embedded in forms and verified server-side), SameSite cookie attributes (restricting cookies to same-site requests), and custom header checks (verifying requests include application-specific headers that cross-origin requests cannot set). Modern frameworks include CSRF protection by default.

Bookuvai Implementation

Bookuvai implements CSRF protection by default in every web application. We use SameSite cookie attributes, CSRF tokens for form submissions, and verify Origin/Referer headers on state-changing requests. Our security review checklist includes CSRF verification for all authenticated endpoints.

Key Facts

  • Prevents attackers from making requests using a victim's credentials
  • Exploits automatic cookie inclusion in browser requests
  • Protection: CSRF tokens, SameSite cookies, custom header verification
  • SameSite=Lax or Strict cookies prevent most CSRF attacks
  • Modern frameworks include CSRF protection by default

Related Terms

Frequently Asked Questions

Does SameSite cookie attribute replace CSRF tokens?
SameSite=Lax prevents most CSRF attacks and is set by default in modern browsers. However, CSRF tokens provide defense-in-depth for older browsers and edge cases. For high-security applications, use both.
Are APIs vulnerable to CSRF?
APIs using cookie-based authentication are vulnerable. APIs using Bearer token authentication (Authorization header) are not, because the token must be explicitly included — it is not sent automatically like cookies.
How do CSRF tokens work?
The server generates a unique token per session and embeds it in forms or meta tags. When the form is submitted, the token is sent alongside the request. The server verifies the token matches the session. Attackers cannot access the token from a different domain due to same-origin policy.