10 KiB
| title | chunk | source | category | tags | date_saved | instance |
|---|---|---|---|---|---|---|
| Cross-site request forgery (CSRF) - Glossary | MDN | 1/3 | https://developer.mozilla.org/en-US/docs/Glossary/CSRF | reference | web, html, css, javascript, documentation | 2026-05-05T05:26:24.092434+00:00 | kb-cron |
MDN HTML HTML: Markup language
HTML reference
HTML guides
Markup languages
CSS reference
CSS guides
Layout cookbook
JavaScriptJS JavaScript: Scripting language
JS reference
JS guides
Web APIs Web APIs: Programming interfaces
Web API reference
Web API guides
- Using the Web animation API
- Using the Fetch API
- Working with the History API
- Using the Web speech API
- Using web workers
Technologies
Topics
Learn Learn web development
Frontend developer course
- Getting started modules
- Core modules
- MDN Curriculum
- Check out the video course from Scrimba, our partner
Learn HTML
Learn CSS
Learn JavaScript
Tools Discover our tools
About Get to know MDN better
Cross-site request forgery (CSRF)
In a cross-site request forgery (CSRF) attack, an attacker tricks the browser into making an HTTP request to the target site from a malicious site. The request includes the user's credentials and causes the server to carry out some harmful action, thinking that the user intended it. A CSRF attack is possible if a website:
- Uses HTTP requests to change some state on the server
- Uses only cookies to validate that the request came from an authenticated user
- Uses only parameters in the request that an attacker can predict
There are several defenses against CSRF attacks, including CSRF tokens, using fetch metadata to block certain cross-site requests, and setting the SameSite attribute on cookies used to authenticate sensitive requests.