[{"data":1,"prerenderedAt":87},["ShallowReactive",2],{"term-c\u002Fcsrf":3,"related-c\u002Fcsrf":69},{"id":4,"title":5,"acronym":5,"body":6,"category":48,"description":49,"difficulty":50,"extension":51,"letter":52,"meta":53,"navigation":54,"path":55,"related":56,"seo":62,"sitemap":63,"stem":66,"subcategory":67,"__hash__":68},"terms\u002Fterms\u002Fc\u002Fcsrf.md","CSRF",{"type":7,"value":8,"toc":41},"minimark",[9,14,18,22,34,38],[10,11,13],"h2",{"id":12},"eli5-the-vibe-check","ELI5 — The Vibe Check",[15,16,17],"p",{},"CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for. Your browser helpfully sends cookies with every request — CSRF exploits that helpfulness. The fix is a secret token only your real app knows.",[10,19,21],{"id":20},"real-talk","Real Talk",[15,23,24,25,29,30,33],{},"CSRF forces authenticated users to execute unwanted actions on web applications. It exploits the browser's implicit trust model where cookies are sent automatically. Mitigations include CSRF tokens, SameSite cookie attribute (",[26,27,28],"code",{},"Strict"," or ",[26,31,32],{},"Lax","), and requiring custom request headers.",[10,35,37],{"id":36},"when-youll-hear-this","When You'll Hear This",[15,39,40],{},"\"CSRF attack forged a bank transfer using the victim's session.\" \u002F \"The CSRF token mismatch blocked the forged request.\"",{"title":42,"searchDepth":43,"depth":43,"links":44},"",2,[45,46,47],{"id":12,"depth":43,"text":13},{"id":20,"depth":43,"text":21},{"id":36,"depth":43,"text":37},"security","CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.","intermediate","md","c",{},true,"\u002Fterms\u002Fc\u002Fcsrf",[57,58,59,60,61],"Cross-Site Request Forgery","XSS","Session Hijacking","Token","CORS",{"title":5,"description":49},{"changefreq":64,"priority":65},"weekly",0.7,"terms\u002Fc\u002Fcsrf",null,"jd3psjQMvNfFpqhHSHd81VwArmnwcwGAnuUDPUCf8ZI",[70,73,76,79,84],{"title":61,"path":71,"acronym":61,"category":48,"difficulty":50,"description":72},"\u002Fterms\u002Fc\u002Fcors","CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...",{"title":57,"path":74,"acronym":5,"category":48,"difficulty":50,"description":75},"\u002Fterms\u002Fc\u002Fcross-site-request-forgery","CSRF tricks your browser into making requests to another site while you're logged in.",{"title":59,"path":77,"acronym":67,"category":48,"difficulty":50,"description":78},"\u002Fterms\u002Fs\u002Fsession-hijacking","Session hijacking is when an attacker steals your session cookie or token and impersonates you.",{"title":60,"path":80,"acronym":67,"category":81,"difficulty":82,"description":83},"\u002Fterms\u002Ft\u002Ftoken","vibecoding","beginner","In AI-land, a token is a chunk of text — roughly 3\u002F4 of a word.",{"title":58,"path":85,"acronym":58,"category":48,"difficulty":50,"description":86},"\u002Fterms\u002Fx\u002Fxss","XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.",1776518262954]