Security also: Cross-Site Request Forgery

CSRF

Attack: a third-party site causes the browser to send authenticated requests to your origin.

In plain terms

Defenses: SameSite cookies, anti-CSRF tokens, double-submit cookies. Largely solved by SameSite=Lax becoming the browser default.

Origin

Recognised as a class of attack in the late 1990s, popularised by the 2007 OWASP Top 10. The double-submit cookie and synchroniser-token patterns evolved as defences; SameSite=Lax (Chrome 80, 2020) closed most of the gap by default.

Where it shows up in production

Django / Rails / Laravel All three ship CSRF tokens on form generation; rejecting requests without a matching token.
SameSite=Lax cookies Browser default since 2020. Cookies don't travel on cross-site POST requests, eliminating most classical CSRF.

Sources & further reading

Docs OWASP — CSRF Prevention Cheat Sheet
Article web.dev — SameSite cookies explained

Found this useful?