Skip to content


cross site request forgery


blog (or embedded element): click a link to

already logged in to => it'll work

Avoiding a CSRF attack

  1. Same site cookie
    1. (Default is lax??)
  2. CSRF token
    1. hidden input in form
    2. Nonce
  3. HTTP only cookies
  4. Backend can check origin referrer header
  5. Captcha

Last update: 2023-04-24