Cross-Site Request Forgery
CSRF
ELI5 — The Vibe Check
CSRF tricks your browser into making requests to another site while you're logged in. Imagine a malicious website with an invisible button that clicks 'transfer $1000' on your bank's site — using your browser's saved session. Your bank thinks YOU clicked it. CSRF tokens prevent this.
Real Talk
Cross-Site Request Forgery (CSRF) exploits the browser's automatic cookie sending behavior. Attackers craft requests that impersonate authenticated users. Prevention involves CSRF tokens (random values embedded in forms that attackers can't read), SameSite cookie attributes, and checking the Origin header.
Show Me The Code
// Express with csurf middleware
import csrf from 'csurf';
app.use(csrf({ cookie: true }));
// In your form handler route:
app.get('/form', (req, res) => {
res.render('form', { csrfToken: req.csrfToken() });
});
// In your HTML form:
// <input type="hidden" name="_csrf" value="<%= csrfToken %>">
When You'll Hear This
"The delete endpoint needs CSRF protection." / "Set SameSite=Strict on session cookies to block CSRF."
Related Terms
CORS (CORS)
CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...
CSRF (CSRF)
CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.
Session Hijacking
Session hijacking is when an attacker steals your session cookie or token and impersonates you.
Token
In AI-land, a token is a chunk of text — roughly 3/4 of a word.
XSS (XSS)
XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.