The Big Idea
What if a website you trust could secretly make dangerous changes without you knowing?
0
0
Why Cross-site request forgery (CSRF) in Cybersecurity? - Purpose & Use Cases
The Scenario
Imagine you are logged into your online bank account in one browser tab. In another tab, you visit a website that looks harmless but secretly tries to make a money transfer from your account without your permission.
The Problem
Manually checking every website you visit to ensure it won't misuse your login is impossible. Without protection, attackers can trick your browser into sending harmful requests using your credentials, leading to unauthorized actions.
The Solution
CSRF protection techniques add secret tokens or checks that confirm requests come from you intentionally. This stops attackers from forging requests because they cannot guess or include these secret tokens.
Before vs After
✗ Before
<form action='/transfer' method='POST'> <input name='amount' value='1000'> <button>Send</button> </form>
✓ After
<form action='/transfer' method='POST'> <input name='amount' value='1000'> <input type='hidden' name='csrf_token' value='random_secret'> <button>Send</button> </form>
What It Enables
It enables websites to trust that actions are truly initiated by their users, protecting sensitive operations from hidden attacks.
Real Life Example
When you submit a form to change your email or password, CSRF protection ensures that only you can make that change, not a malicious site pretending to be you.
Key Takeaways
CSRF tricks browsers into sending unwanted requests using your login.
Manual vigilance is not enough to prevent these attacks.
CSRF tokens and checks protect users by verifying genuine requests.