0Pricing
Frontend Academy · Lesson

CSRF: SameSite Cookies and Tokens

Understand how Cross-Site Request Forgery exploits cookies, use SameSite=Strict/Lax to prevent it, and add synchroniser tokens for extra protection.

What Is CSRF?

Cross-Site Request Forgery: an attacker tricks an authenticated user's browser into sending a request to your site. The browser attaches the user's cookies — the server thinks it's a legitimate request from the user.

Classic CSRF Attack

User is logged into bank.com. They visit evil.com. evil.com submits a hidden form to bank.com/transfer with attacker's account number. Browser sends bank.com's session cookie automatically. Server transfers money.

All lessons in this course

  1. XSS Prevention: Output Encoding CSP
  2. CSRF: SameSite Cookies and Tokens
  3. Content Security Policy: nonce and hash
  4. OAuth Flows from the Frontend
← Back to Frontend Academy