CSRF

CSRF (Cross-Site Request Forgery), pronounced "sea-surf", is a web security vulnerability that tricks a user's browser into making an unwanted request to a site where they are authenticated. The server receives a legitimate-looking request and has no way to distinguish it from a genuine one.

How a CSRF Attack Works

1. You are logged in to your bank's website in one browser tab.
2. You visit a malicious website in another tab.
3. The malicious page contains a hidden request to transfer money on your bank's site.
4. Your browser sends this request automatically, including your bank's session cookie.
5. Your bank processes the transfer as if you initiated it.

CSRF Protection: Anti-CSRF Tokens

The most effective defence is the synchroniser token pattern:

1. The server generates a unique, random token for each session or request.
2. The token is embedded in all HTML forms as a hidden field.
3. The server verifies the token on every state-changing request (POST, PUT, DELETE).
4. Since the attacker's site cannot read the token (blocked by Same-Origin Policy), forged requests fail.

Other CSRF Defences

• SameSite cookie attribute — Prevents cookies from being sent with cross-site requests. SameSite=Strict or SameSite=Lax.
• Origin/Referer header validation — Verify the request came from your own domain.
• Double submit cookie — A random value in both a cookie and a form field; the server verifies they match.

In ASP.NET Core, the @Html.AntiForgeryToken() helper and the [ValidateAntiForgeryToken] attribute implement anti-CSRF protection automatically.