CSRF: SameSite Cookies and Tokens
Understand how Cross-Site Request Forgery exploits cookies, use SameSite=Strict/Lax to prevent it, and add synchroniser tokens for extra protection.
What Is CSRF?
Cross-Site Request Forgery: an attacker tricks an authenticated user's browser into sending a request to your site. The browser attaches the user's cookies — the server thinks it's a legitimate request from the user.
Classic CSRF Attack
User is logged into bank.com. They visit evil.com. evil.com submits a hidden form to bank.com/transfer with attacker's account number. Browser sends bank.com's session cookie automatically. Server transfers money.
All lessons in this course
- XSS Prevention: Output Encoding CSP
- CSRF: SameSite Cookies and Tokens
- Content Security Policy: nonce and hash
- OAuth Flows from the Frontend