Why it matters

CSRF was a huge vulnerability class. Modern browsers largely fixed via SameSite, but knowing prevents legacy bugs.

Advertisement

The architecture

Classic: attacker page has form/img/script that triggers request to victim site. Browser sends cookies automatically.

Result: authenticated action performed by user without consent.

CSRF attack flowMalicious pagetriggers requestBrowser sends cookiesautomaticAction executedon victim siteSameSite cookies (Lax default in modern browsers) block cross-site cookie sending
CSRF mechanism.
Advertisement

How it works end to end

SameSite cookies: modern browsers default to Lax. Cookies not sent on cross-site requests. Solves classic CSRF.

CSRF tokens: legacy defense. Unique token per session, verified on state-changing requests.

Same-origin policy: browsers prevent cross-origin JavaScript access.