Cross-site request forgery (CSRF)
{{GlossarySidebar}}
In a cross-site request forgery (CSRF) attack, an attacker tricks the browser into making an HTTP request to the target site from a malicious site. The request includes the user’s credentials and causes the server to carry out some harmful action, thinking that the user intended it.
A CSRF attack is possible if a website:
- Uses HTTP requests to change some state on the server
- Uses only cookies to validate that the request came from an authenticated user
- Uses only parameters in the request that an attacker can predict
There are several defenses against CSRF attacks, including CSRF tokens, using fetch metadata to block certain cross-site requests, and setting the SameSite attribute on cookies used to authenticate sensitive requests.