1. Why CSRF Is Hard to Grasp — and Why It Does Not Have to Be
CSRF — Cross-Site Request Forgery — is one of those security terms that tends to get filed under "deal with later." Search for it and you are met with protocol diagrams, HTTP header specifications, and framework documentation. The underlying problem, though, is genuinely simple.
No malware required. No password stolen. The user just clicks a link, loads a page, or opens an email — and your site does something it was not supposed to do. That is CSRF.
Because users cannot detect or prevent this themselves, the responsibility falls entirely on the website side. That is why it matters to web managers — not just to engineers.
2. How CSRF Actually Works
When a user is logged in to your site, their browser holds a session cookie that authenticates them. Every request the browser makes to your site — clicking a button, submitting a form — automatically includes that cookie. Your server sees the cookie and treats the request as legitimate.
CSRF exploits this. An attacker builds a page that contains a hidden request targeting your site. When a logged-in user visits that page — from a social media link, an ad, an email, even an embedded image — the browser sends the request automatically, session cookie and all. Your server has no way to tell the difference from a genuine user action.
The results can include:
- Account settings changed without the user's knowledge
- Purchases or transactions submitted on the user's behalf
- Data deleted or modified
- Registrations or subscriptions created without consent
The attack is invisible to the user. They may never know it happened. That invisibility is precisely what makes it dangerous — and why proactive protection on the server side is the only reliable defence.
3. The Most Important Defence: CSRF Tokens
The primary defence against CSRF is the CSRF token — a unique, unpredictable value generated by the server for each page load and embedded in every form. When the form is submitted, the server checks that the token matches. A request coming from an attacker's external page cannot include a valid token, so it is rejected.
How to run it correctly
- Embed a CSRF token in every form that performs a state-changing action
- Validate the token on the server when the form is submitted — never trust the client
- Generate a fresh token for each session or request — never reuse them
- Use your framework's built-in CSRF protection rather than implementing it yourself
That last point is worth emphasizing. Custom CSRF implementations consistently introduce subtle gaps. Every major web framework — Laravel, Django, Rails, Spring, Express, and others — provides tested, well-maintained CSRF protection built in. Use it.
If your site is built or maintained by an external agency, one practical question to ask is: "Is CSRF token protection implemented on all forms?" The answer will tell you a great deal about the security posture of the work.
4. The Quick Win: SameSite Cookie Attribute
Alongside CSRF tokens, setting the SameSite attribute on cookies is one of the most effective and lowest-effort protections available. It instructs the browser not to send cookies when a request originates from a different site — which is exactly the vector CSRF exploits.
- Set
SameSite=Laxas the default on session and authentication cookies — this blocks cross-site POST requests while preserving normal navigation - Combine it with the
Secureattribute to ensure cookies are only transmitted over HTTPS
Applying this to your login session cookie alone provides meaningful protection and can typically be done in a short configuration change. Combined with CSRF tokens, it creates a significantly more robust defence than either measure alone.
5. Building Protection Into Your Workflow
CSRF protection is not a one-time setup. It needs to be part of how your team handles ongoing site work — because new forms and new pages are where gaps appear.
When to check
- A new form is added to the site — contact, application, registration, checkout
- A campaign landing page or temporary microsite is created
- Work is handed off to an external agency or freelancer
- A communications or marketing team member makes updates to form pages
The most reliable way to handle this is to add a CSRF check to your existing publishing or QA process. A single checklist item — "Does this form have CSRF token protection?" — catches most issues before they reach production. It takes seconds to verify and costs nothing to maintain.
Making it a workflow step rather than an afterthought is what distinguishes organizations that stay protected over time from those that accumulate gaps.
6. Three Things to Remember
CSRF is one of those topics that feels more complex than it is. When you strip the terminology away, the actions that matter are straightforward:
SameSite=Lax and Secure on session cookies
None of this requires deep security expertise. The barrier to CSRF protection is not technical complexity — it is organizational habit. Once these three checks are part of how your team works, the incremental effort is minimal and the accumulated protection is real.
Start with one change today. Add the next one to your workflow. Each step builds toward a site that is meaningfully harder to exploit — and users who can trust it more.
Layer server-side file monitoring on top of your CSRF defences
CSRF protection secures your forms and sessions. F-PAT monitors your server files 24/7 and alerts you the moment any file is tampered with — a complementary layer that catches what form-level protections cannot.