Security

What is Cross-Site Request Forgery (CSRF)?

An attack that tricks a logged-in user's browser into making unwanted requests to your app, like changing their password or transferring money.

In plain English

You're logged into your bank. While browsing another website, that site secretly sends a 'transfer $1000' request to your bank. Your browser includes your bank cookies automatically, so the bank thinks you made the request. CSRF exploits the fact that browsers automatically send cookies with every request to a domain.

How it works

The attacker creates a page with a hidden form or image that sends a request to your app. When a logged-in user visits this page, their browser sends the request with their session cookies attached. Your server sees a valid session and processes the request as if the user intended it.

How to prevent it

Use CSRF tokens — unique values embedded in your forms that the server verifies on submission. Since the attacker can't read the token from their domain, they can't forge a valid request. For API-based apps, use the SameSite cookie attribute (set to 'Lax' or 'Strict') to prevent cookies from being sent on cross-origin requests.

Modern protections

Most modern frameworks include CSRF protection by default. Next.js server actions include built-in CSRF protection. SameSite cookies (now the default in most browsers) significantly reduce the attack surface. If your app uses JSON APIs with custom headers, CSRF is less of a concern since cross-origin requests with custom headers are blocked by browsers.

Frequently asked questions

Do I need CSRF protection for my API?

If your API uses cookie-based authentication and accepts requests from browsers, yes. If it uses token-based auth (Bearer tokens in headers), CSRF is less of a concern since the token isn't sent automatically by the browser.

How we can help

Security Review

Deep security analysis of your application — from API endpoints to database access.

Check your app

Get a professional review of your app at a fixed price.

Security Scan

Black-box review of your public-facing app. No code access needed.

$19
  • OWASP Top 10 checks
  • SSL/TLS analysis
  • Security headers
  • Expert review within 24h
Get Started

Code Audit

In-depth review of your source code for security, quality, and best practices.

$19
  • Security vulnerabilities
  • Code quality review
  • Dependency audit
  • AI pattern analysis
Get Started
Best Value

Complete Bundle

Both scans in one package with cross-referenced findings.

$29$38
  • Everything in both products
  • Cross-referenced findings
  • Unified action plan
Get Started

100% credited toward any paid service. Start with an audit, then let us fix what we find.

Related guides

API Security Basics for AI-Built Apps

How to secure your API endpoints.

Related terms

Cross-Site Scripting (XSS)CORS (Cross-Origin Resource Sharing)OWASP Top 10

Worried about cross-site request forgery (csrf) in your app?

Get a professional code audit ($19) or book a free call to discuss your concerns.

Tell Us About Your App