CSRF
SecurityCSRF is a web security vulnerability where a malicious site tricks a logged-in user’s browser into sending unwanted requests to a trusted application, using the user’s existing session cookies. If the target relies only on cookies for authentication and lacks anti-CSRF controls, attackers can trigger actions like changing settings or submitting forms without the user’s intent.
How It Works
Cross-Site Request Forgery exploits the fact that browsers automatically attach cookies (and sometimes other credentials) to requests sent to a domain. If a user is authenticated to a site in one tab, another site can cause the browser to submit a request to the authenticated site, for example by embedding an auto-submitting HTML form, loading an image URL that performs an action, or using JavaScript in certain scenarios. The vulnerable application then processes the request as if it were intentionally initiated by the user.
Effective defenses focus on proving that a state-changing request originated from the legitimate site and user interaction. Common controls include anti-CSRF tokens (unique, unpredictable values tied to the user session and validated on POST/PUT/DELETE actions), SameSite cookie attributes to limit cross-site cookie sending, and strict validation of Origin and Referer headers. Requiring re-authentication or step-up verification for sensitive actions, and avoiding side effects on GET requests, also reduces risk.
Why It Matters for Web Hosting
CSRF protection affects the security posture of hosted applications, especially CMS dashboards, admin panels, and custom web apps that rely on cookie-based sessions. When comparing hosting plans, look for environments that support secure cookie settings (HTTPS, SameSite, HttpOnly), modern frameworks, and WAF or reverse-proxy options that can help enforce request validation. Poor CSRF hygiene can turn a minor compromise into account takeover, content changes, or payment and email-setting abuse.
Common Use Cases
- Protecting CMS and control panel actions (password changes, plugin installs, user creation)
- Securing e-commerce operations (address changes, checkout steps, refund or coupon actions)
- Hardening account settings endpoints (email, MFA, API key generation)
- Defending internal admin tools and back-office dashboards behind SSO
- Validating state-changing API requests that still use browser cookies
CSRF vs XSS
CSRF forces a victim’s browser to send an authenticated request without the victim’s intent, but it does not require running code on the target site. XSS injects and executes attacker-controlled script in the context of the target site, which can steal data and also bypass CSRF protections by reading tokens or issuing requests directly. In practice, strong XSS defenses help protect CSRF tokens, while strong CSRF defenses limit damage when cookies are present.