<strong>CSRF (Cross-Site Request Forgery)</strong> is an attack where a malicious site tricks your browser into making unwanted requests to a site you're logged into. CSRF tokens prevent this by validating that requests come from your own site.
The Forged Signature Analogy
CSRF is like someone tricking you into signing a blank check. CSRF tokens are like watermarks that prove the signature is legitimate and not forged.
Your Signature (Session)
Proves it's you
Forger (Attacker)
Tricks you into signing
CSRF Token (Watermark)
Proves it's legitimate
Generates Token
Included in Form
Validates Token
Server generates token
Random string for each session/form
Include in form
<input type='hidden' name='csrf' value='abc123'>
User submits form
Token sent with request
Server validates token
Checks if token matches session
Reject if invalid
Attacker's site can't get valid token
Wrong
"HTTPS prevents CSRF attacks"
Correct
<strong>HTTPS doesn't prevent CSRF</strong>. HTTPS encrypts data in transit but doesn't validate request origin. You need CSRF tokens or SameSite cookies.
CSRF attack scenario:
You're logged into yourbank.com
You visit evil.com (attacker's site)
evil.com has: <form action='yourbank.com/transfer' method='POST'>
Without CSRF protection: Your browser sends your cookies, transfer succeeds!
With CSRF token: Server rejects (evil.com can't get valid token)