Understanding CSRF Attacks: How They Work and How to Stop Them
Posted by Nuno Marques on 24 May 2025
Cross-Site Request Forgery (CSRF) might not sound as flashy as XSS or MITM, but don’t be fooled—CSRF is sneaky and dangerous. It's a security flaw that tricks users into performing actions they didn’t intend.
And yes, if you're working with cookies, forms, or session-based authentication in your full-stack app, you need to care about this.
Let’s unpack what CSRF is, why it matters, and how you can defend against it.
Estimated reading time: 6 min
What Is a CSRF Attack?
TL;DR: A CSRF attack forces an authenticated user to perform unwanted actions on a web app where they're logged in—without their consent.
Imagine you’re logged into your online banking account. In another browser tab, you visit a shady website. That site silently submits a request to your bank to transfer money, using your browser’s cookies to authenticate the request. If your bank doesn’t verify where the request came from… that money is gone.
CSRF abuses the trust a site has in the user's browser.
Who's Behind It—and Why?
CSRF attacks are usually performed by:
- Malicious site owners who embed hidden forms or image tags that submit requests.
- Phishers who send links via email or social media.
- Attackers combining CSRF with XSS for even deeper exploits (yes, they stack vulnerabilities).
Their goal? Account takeover, data modification, unwanted transactions, or privilege escalation.
Common Scenarios You Should Watch For
- Changing a user’s email or password
- Transferring money
- Modifying settings or user roles in admin dashboards
- Creating or deleting data entries
If any of these actions happen via a POST request or a cookie-authenticated GET, you’re potentially vulnerable.
How Does It Compare to XSS or MITM?
While XSS (Cross-Site Scripting) targets users and injects malicious scripts, CSRF targets actions performed by users. They're often used together in layered attacks.
Check out Preventing XSS: Best Practices for Frontend Developers to understand how both can be mitigated in tandem.
And for a deeper look at cookie security, don't miss How to Secure Your Node.js API with JWT and Cookies.
How to Prevent CSRF Attacks
Here’s what you should be doing as a full-stack dev:
✅ Use CSRF Tokens
Generate a unique, per-session CSRF token and include it in every HTML form or AJAX request. On the server, verify it matches the expected value.
In Express (Node.js):
const csrf = require('csurf');
app.use(csrf({ cookie: true }));
Then pass the token into your templates or APIs.
✅ Check the Origin and Referer Headers
For sensitive endpoints, ensure the request came from your own domain:
if (req.headers.origin !== 'https://yourdomain.com') {
return res.status(403).send('CSRF blocked');
}
✅ Use SameSite Cookies
Set cookies with the SameSite flag to prevent them from being sent with cross-origin requests:
res.cookie('session', token, { httpOnly: true, sameSite: 'Strict' });
✅ Avoid GET Requests for State-Changing Actions
Only use POST, PUT, or DELETE for actions that change data. Never allow actions like "delete post" or "send payment" via a GET request.
What Frameworks Already Help With This?
Most modern frameworks offer CSRF protection out of the box:
- Django – Uses a CSRF middleware and template tag system.
- Rails – Embeds CSRF tokens into forms automatically.
- Express.js – Needs a middleware like
csurf. - Next.js – You’ll need to set it up manually or use helper libraries.
If you're using JWT in headers instead of cookies, CSRF risks are significantly reduced—but not zero. Learn more in Why Local Storage is Vulnerable to XSS Attacks (And a Safer Alternative).
Key Takeaways
- CSRF attacks exploit authenticated users to perform unwanted actions.
- They're dangerous for sites using cookies and session-based authentication.
- Defenses include CSRF tokens, checking headers, SameSite cookies, and avoiding state-changing GET requests.
- Use your framework’s built-in CSRF protection where possible.
Next Steps
- Audit your forms and APIs for CSRF risks.
- Enable CSRF tokens in your backend.
- Test with tools like OWASP ZAP or Postman Interceptor.
- Review What is a MITM Attack? to understand how these attacks connect.