Cross-site request forgery (CSRF)

In a cross-site request forgery (CSRF) attack, an attacker tricks the browser into making an HTTP request to the target site from a malicious site. The request includes the user's credentials and causes the server to carry out some harmful action, thinking that the user intended it.

A CSRF attack is possible if a website:

Uses HTTP requests to change some state on the server
Uses only cookies to validate that the request came from an authenticated user
Uses only parameters in the request that an attacker can predict

There are several defenses against CSRF attacks, including CSRF tokens, using fetch metadata to block certain cross-site requests, and setting the SameSite attribute on cookies used to authenticate sensitive requests.

See also