What is CSRF (Cross-Site Request Forgery)?

Turkish: CSRF

CSRF tricks a logged-in user's browser into sending an unwanted state-changing request, often by abusing automatic cookies.

What is CSRF?

CSRF (Cross-Site Request Forgery) happens when another site sends a request to a target application while the user still has a valid session there. Because browsers attach cookies automatically, the server may treat the request as if the user intentionally sent it.

How Does the Attack Work?

The user is logged in to a bank, admin panel, or e-commerce account. A page controlled by the attacker silently triggers a state-changing request, such as transferring money, changing an email address, or adding a shipping address. If the application trusts only the session cookie, the action may succeed.

Protection Methods

  • Use unpredictable CSRF tokens for critical forms and requests
  • Set cookies with SameSite=Lax or SameSite=Strict where appropriate
  • Validate Origin and Referer headers
  • Do not change data through GET requests
  • Require re-authentication or confirmation for high-risk actions

Relationship with JWT and XSS

JWT tokens sent in an Authorization header reduce classic CSRF risk because browsers do not attach them automatically. If the JWT is stored in a cookie, the risk returns. If XSS exists, an attacker may read a CSRF token or act as the user, so XSS protection remains essential.

Business Use

CSRF is not a feature; it is a transaction integrity risk. Member areas, payment flows, admin panels, address books, and user settings should include CSRF controls in security tests.