What is CSRF (Cross-Site Request Forgery)?
Turkish: CSRF
CSRF tricks a logged-in user's browser into sending an unwanted state-changing request, often by abusing automatic cookies.
What is CSRF?
CSRF (Cross-Site Request Forgery) happens when another site sends a request to a target application while the user still has a valid session there. Because browsers attach cookies automatically, the server may treat the request as if the user intentionally sent it.
How Does the Attack Work?
The user is logged in to a bank, admin panel, or e-commerce account. A page controlled by the attacker silently triggers a state-changing request, such as transferring money, changing an email address, or adding a shipping address. If the application trusts only the session cookie, the action may succeed.
Protection Methods
- Use unpredictable CSRF tokens for critical forms and requests
- Set cookies with
SameSite=LaxorSameSite=Strictwhere appropriate - Validate
OriginandRefererheaders - Do not change data through GET requests
- Require re-authentication or confirmation for high-risk actions
Relationship with JWT and XSS
JWT tokens sent in an Authorization header reduce classic CSRF risk because browsers do not attach them automatically. If the JWT is stored in a cookie, the risk returns. If XSS exists, an attacker may read a CSRF token or act as the user, so XSS protection remains essential.
Business Use
CSRF is not a feature; it is a transaction integrity risk. Member areas, payment flows, admin panels, address books, and user settings should include CSRF controls in security tests.