Why it matters
CSRF was a huge vulnerability class. Modern browsers largely fixed via SameSite, but knowing prevents legacy bugs.
Advertisement
The architecture
Classic: attacker page has form/img/script that triggers request to victim site. Browser sends cookies automatically.
Result: authenticated action performed by user without consent.
Advertisement
How it works end to end
SameSite cookies: modern browsers default to Lax. Cookies not sent on cross-site requests. Solves classic CSRF.
CSRF tokens: legacy defense. Unique token per session, verified on state-changing requests.
Same-origin policy: browsers prevent cross-origin JavaScript access.