[{"data":1,"prerenderedAt":305},["ShallowReactive",2],{"term-c\u002Fcross-site-request-forgery":3,"related-c\u002Fcross-site-request-forgery":287},{"id":4,"title":5,"acronym":6,"body":7,"category":268,"description":269,"difficulty":270,"extension":271,"letter":272,"meta":273,"navigation":125,"path":274,"related":275,"seo":280,"sitemap":281,"stem":284,"subcategory":285,"__hash__":286},"terms\u002Fterms\u002Fc\u002Fcross-site-request-forgery.md","Cross-Site Request Forgery","CSRF",{"type":8,"value":9,"toc":262},"minimark",[10,15,19,23,26,30,251,255,258],[11,12,14],"h2",{"id":13},"eli5-the-vibe-check","ELI5 — The Vibe Check",[16,17,18],"p",{},"CSRF tricks your browser into making requests to another site while you're logged in. Imagine a malicious website with an invisible button that clicks 'transfer $1000' on your bank's site — using your browser's saved session. Your bank thinks YOU clicked it. CSRF tokens prevent this.",[11,20,22],{"id":21},"real-talk","Real Talk",[16,24,25],{},"Cross-Site Request Forgery (CSRF) exploits the browser's automatic cookie sending behavior. Attackers craft requests that impersonate authenticated users. Prevention involves CSRF tokens (random values embedded in forms that attackers can't read), SameSite cookie attributes, and checking the Origin header.",[11,27,29],{"id":28},"show-me-the-code","Show Me The Code",[31,32,37],"pre",{"className":33,"code":34,"language":35,"meta":36,"style":36},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F Express with csurf middleware\nimport csrf from 'csurf';\napp.use(csrf({ cookie: true }));\n\n\u002F\u002F In your form handler route:\napp.get('\u002Fform', (req, res) => {\n  res.render('form', { csrfToken: req.csrfToken() });\n});\n\n\u002F\u002F In your HTML form:\n\u002F\u002F \u003Cinput type=\"hidden\" name=\"_csrf\" value=\"\u003C%= csrfToken %>\">\n","javascript","",[38,39,40,49,77,120,127,133,177,225,234,239,245],"code",{"__ignoreMap":36},[41,42,45],"span",{"class":43,"line":44},"line",1,[41,46,48],{"class":47},"sHwdD","\u002F\u002F Express with csurf middleware\n",[41,50,52,56,60,63,67,71,74],{"class":43,"line":51},2,[41,53,55],{"class":54},"s7zQu","import",[41,57,59],{"class":58},"sTEyZ"," csrf ",[41,61,62],{"class":54},"from",[41,64,66],{"class":65},"sMK4o"," '",[41,68,70],{"class":69},"sfazB","csurf",[41,72,73],{"class":65},"'",[41,75,76],{"class":65},";\n",[41,78,80,83,86,90,93,96,98,101,105,108,112,115,118],{"class":43,"line":79},3,[41,81,82],{"class":58},"app",[41,84,85],{"class":65},".",[41,87,89],{"class":88},"s2Zo4","use",[41,91,92],{"class":58},"(",[41,94,95],{"class":88},"csrf",[41,97,92],{"class":58},[41,99,100],{"class":65},"{",[41,102,104],{"class":103},"swJcz"," cookie",[41,106,107],{"class":65},":",[41,109,111],{"class":110},"sfNiH"," true",[41,113,114],{"class":65}," }",[41,116,117],{"class":58},"))",[41,119,76],{"class":65},[41,121,123],{"class":43,"line":122},4,[41,124,126],{"emptyLinePlaceholder":125},true,"\n",[41,128,130],{"class":43,"line":129},5,[41,131,132],{"class":47},"\u002F\u002F In your form handler route:\n",[41,134,136,138,140,143,145,147,150,152,155,158,162,164,167,170,174],{"class":43,"line":135},6,[41,137,82],{"class":58},[41,139,85],{"class":65},[41,141,142],{"class":88},"get",[41,144,92],{"class":58},[41,146,73],{"class":65},[41,148,149],{"class":69},"\u002Fform",[41,151,73],{"class":65},[41,153,154],{"class":65},",",[41,156,157],{"class":65}," (",[41,159,161],{"class":160},"sHdIc","req",[41,163,154],{"class":65},[41,165,166],{"class":160}," res",[41,168,169],{"class":65},")",[41,171,173],{"class":172},"spNyl"," =>",[41,175,176],{"class":65}," {\n",[41,178,180,183,185,188,190,192,195,197,199,202,205,207,210,212,215,218,221,223],{"class":43,"line":179},7,[41,181,182],{"class":58},"  res",[41,184,85],{"class":65},[41,186,187],{"class":88},"render",[41,189,92],{"class":103},[41,191,73],{"class":65},[41,193,194],{"class":69},"form",[41,196,73],{"class":65},[41,198,154],{"class":65},[41,200,201],{"class":65}," {",[41,203,204],{"class":103}," csrfToken",[41,206,107],{"class":65},[41,208,209],{"class":58}," req",[41,211,85],{"class":65},[41,213,214],{"class":88},"csrfToken",[41,216,217],{"class":103},"() ",[41,219,220],{"class":65},"}",[41,222,169],{"class":103},[41,224,76],{"class":65},[41,226,228,230,232],{"class":43,"line":227},8,[41,229,220],{"class":65},[41,231,169],{"class":58},[41,233,76],{"class":65},[41,235,237],{"class":43,"line":236},9,[41,238,126],{"emptyLinePlaceholder":125},[41,240,242],{"class":43,"line":241},10,[41,243,244],{"class":47},"\u002F\u002F In your HTML form:\n",[41,246,248],{"class":43,"line":247},11,[41,249,250],{"class":47},"\u002F\u002F \u003Cinput type=\"hidden\" name=\"_csrf\" value=\"\u003C%= csrfToken %>\">\n",[11,252,254],{"id":253},"when-youll-hear-this","When You'll Hear This",[16,256,257],{},"\"The delete endpoint needs CSRF protection.\" \u002F \"Set SameSite=Strict on session cookies to block CSRF.\"",[259,260,261],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}html pre.shiki code .sHdIc, html code.shiki .sHdIc{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#EEFFFF;--shiki-default-font-style:italic;--shiki-dark:#BABED8;--shiki-dark-font-style:italic}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":36,"searchDepth":51,"depth":51,"links":263},[264,265,266,267],{"id":13,"depth":51,"text":14},{"id":21,"depth":51,"text":22},{"id":28,"depth":51,"text":29},{"id":253,"depth":51,"text":254},"security","CSRF tricks your browser into making requests to another site while you're logged in.","intermediate","md","c",{},"\u002Fterms\u002Fc\u002Fcross-site-request-forgery",[6,276,277,278,279],"XSS","Session Hijacking","Token","CORS",{"title":5,"description":269},{"changefreq":282,"priority":283},"weekly",0.7,"terms\u002Fc\u002Fcross-site-request-forgery",null,"WLf-srVVcB2Ywl9s8b84Brb_5hfh9_8GDCFYN2mUIHg",[288,291,294,297,302],{"title":279,"path":289,"acronym":279,"category":268,"difficulty":270,"description":290},"\u002Fterms\u002Fc\u002Fcors","CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...",{"title":6,"path":292,"acronym":6,"category":268,"difficulty":270,"description":293},"\u002Fterms\u002Fc\u002Fcsrf","CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.",{"title":277,"path":295,"acronym":285,"category":268,"difficulty":270,"description":296},"\u002Fterms\u002Fs\u002Fsession-hijacking","Session hijacking is when an attacker steals your session cookie or token and impersonates you.",{"title":278,"path":298,"acronym":285,"category":299,"difficulty":300,"description":301},"\u002Fterms\u002Ft\u002Ftoken","vibecoding","beginner","In AI-land, a token is a chunk of text — roughly 3\u002F4 of a word.",{"title":276,"path":303,"acronym":276,"category":268,"difficulty":270,"description":304},"\u002Fterms\u002Fx\u002Fxss","XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.",1776518270915]