Cross-site request forgery

CSRF is forgery of a valid request.

It is possible to forge a fake request if

To prevent it, we need at least one unpredictable parameter, a CSRF token.

This token is a large random value, unique per user & per user session.

Make sure your forms have CSRF tokens.

CSRF tokens should not be sent within cookies.

Use SameSite header to forbid sending the cookie via cross-origin requests