_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

CSRF Protection — Cross-Site Request Forgery

03. 12. 2023 1 min read intermediate

A CSRF attack forces an authenticated user to perform an unwanted action. The browser automatically attaches cookies, and the attacker exploits this.

How CSRF Works

A user is logged into bank.com. They visit evil.com with a hidden form that sends a POST to bank.com/transfer. The browser attaches the session cookie.

Defense: CSRF Token + SameSite

CSRF Protection — Cross-Site Request Forgery

Express.js

const csrf = require(‘csurf’); app.use(csrf({ cookie: true }));

SameSite Cookie

Set-Cookie: session=abc; SameSite=Lax; Secure; HttpOnly

Modern Approach

  • SameSite=Lax is the default in modern browsers
  • CSRF token for state-changing operations
  • API with Bearer token in the Authorization header is immune to CSRF

Key Takeaway

SameSite=Lax + CSRF tokens for forms. API with Bearer token is immune to CSRF.

securitycsrfweb
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

OWASP Top 10 — Web Application Security

OWASP recommendations in Java EE. SQL injection, XSS, CSRF, and how to defend against them.

WAF Configuration — Web Application Firewall

ModSecurity, AWS WAF, Cloudflare WAF. Rules and false positives.

Burp Suite Basics — Web Security Testing

How to use Burp Suite for web application testing.