Security Category

CSRF

Cross-site request forgery attack pattern.

Definition

CSRF is an attack where a logged-in browser is tricked into sending unintended requests; defenses include same-site cookies and anti-CSRF tokens.

Practical Example & Use Case

Security reviews verify that state-changing form submissions require CSRF tokens and reject cross-origin requests that miss valid credentials.

Editorial review date: 2026-03-14

Why It Matters

CSRF protections matter because authenticated browsers can send valid-looking requests even when the user did not intend to perform the action. Teams need to spot this risk before launch, not after an account-setting or admin action is abused.

Common Confusions

CSRF vs XSS: XSS injects attacker-controlled script, while CSRF abuses an already authenticated browser session.
CSRF token vs auth token: a CSRF token proves a request came from the intended origin flow, not that the user is authenticated.
CSRF protection vs same-site cookies: same-site cookies help, but many teams still layer explicit CSRF defenses on sensitive actions.

Related Terms in Security

OAUTH 2.0Delegated authorization framework.

LEAST PRIVILEGEGrant only minimum required access.

THREAT MODELINGStructured analysis of security risks.

Interactive Practice

Learn CSRF and related Security terms by playing our vocabulary word search puzzle.

Continue Practicing

Related Learning Guides

Use it in security awareness training

A short drill format for teaching shared security language more effectively.

Security vocabulary drills

A focused routine for awareness training and technical security sessions.