Skip to main content
HashnodeCode as a StoryCode as a Story

Command Palette

Search for a command to run...

What is CSRF (Cross-Site Request Forgery)?

The Request You Never Meant to Send

Updated
5 min read
What is CSRF (Cross-Site Request Forgery)?
S
Sreeram K S
Senior Software Engineer with 7+ years in Java, Spring Boot, and scalable backend systems. I help engineers crack backend/full-stack interviews, improve system design, and transition into cloud and AI with practical, real-world guidance.
Part of seriesThe Real - Real Basics

Story Time

Imagine this, you are going to your bank to withdraw money for some need (I know you have banking apps but bear with me here..). The bank employee there informs you that they now have the ability to take standing instructions from long term customers, where they grant you a signature stamp.

This allows you to authorize requests and send it via post. “Whenever a request comes with my signature stamp, treat it as me.” That's the power that comes with this stamp.

And since you a long standing customer of the bank, the bank has already issued you a signature stamp. You don’t have to drive down to the bank every time just to sign every time. You just use this stamp at home and send it over mail/post whenever needed.

Now here’s the catch, you keep this stamp in your bag and one day, you walk into a crowded place. Someone nearby quietly:

  • Takes your bag for a moment

  • Uses your stamp on a document

  • Sends that document to your bank

You never saw it happen or approved anything. But when the bank receives it, they see a valid stamp, assume it must be the owner who sent the request and they process the request.

Now let's map this story to the real world case. The user (you) visit the Bank (Trusted website), where they grant you the Stamp (cookie - your session identity). Afterwards you visit the Crowded place (Malicious website), and there someone uses your stamp (Browser automatically attaching cookies)

Now that we have set the premise for understanding CSRF, let's see what it is.

What is CSRF ?

CSRF or Cross-Site Request Forgery is when a request is made to an untrusted system using your identity, without your knowledge.

The system accepts it because it looks like it came from you

Why This Happens?

Here’s the core concept, when you log in to any website, the server gives your browser a cookie. That cookie represents your identity and this gets stored by your browser. Now every request going forward looks like:

POST /action
Cookie: session=abc123

No here is the important part, The cookie for the subsequent request is not going to be added by you. Your browser does it automatically every time.

But here is the problem, your browser does NOT check who triggered the request or whether you intended it. It only checks “Is this request going to the same site? If yes then attach the cookie”

Step-by-Step: CSRF Attack Flow

I will try my best to simplify it as much as I can

  1. Step 1 : You log into a trusted site. The login happens, session is created at the backend and the session id shared back as a cookie.

  2. Step 2 : Your identity is now stored in the browser as a cookie.

    session=abc123

  3. Step 3 : You visit another (malicious) page. Nothing notable or suspicious occurs from your perspective.

  4. Step 4 : That second malicious page triggers a request silently, something like this:

    <img src="https://bank.com/transfer?amount=10000&to=attacker" />

  5. Step 5 : When this happens the browser automatically attaches your cookie and the request is sent.

    POST /transfer
Cookie: session=abc123

  6. Step 6 : Server processes it as your request, because a valid cookie implies a request from a valid user

What Just Happened? You didn’t initiate anything or approve anything but your identity was still used. This is called a forged request.

What is a “Forged Request”?

A forged request is a request that appears to be from you but isn’t. The server cannot easily detect it because it has your cookie (signature) and it looks exactly like a normal request

Why CSRF is Dangerous

Anything you are allowed to do, such as transfer money, change details or delete data can be triggered without your consent. The attacker doesn’t need your password. They just need you to be logged in + visit their page.

How is CSRF Prevented?

  1. CSRF Tokens : The server adds a secret value that must be and is expected by the server to be included in every request, and this token is only known to the real sites. This way we can separate a real request from a forged one.

    POST /transfer
Cookie: session=abc123
X-XSRF-TOKEN: xyz789abc123

  2. SameSite Cookies : We can configure cookies like the example below that will tell the browser “Only send cookies for same-site requests”.

    Set-Cookie: session=abc123; SameSite=Strict

Final Thoughts

CSRF uses your identity without your knowledge by attacking a feature of the browsers that automatically attach cookies. Servers trust requests with cookies which is exploited by the attackers and protection ensures the request is genuine

If you remember one thing "CSRF is not about breaking authentication It’s about misusing it"

#csrf#cross-site-request-forgery#web-security#cyber-security-basics#backend-development#system-design#software-engineering#authentication#cookies#session-management#http-security-headers#java-backend#spring-boot-security#api-security#engineering-explained-simply
11 views

Comments

Join the discussion

No comments yet. Be the first to comment.

The Real - Real Basics

Part 10 of 12

If you’ve ever felt like tech concepts are explained *just one layer too high*, this series is for you. **“The Real – Real Basics”** is not about definitions. It’s about **understanding what’s actually happening underneath**. Most resources jump straight into something like “This is a process”, “This is a thread” and “This is memory” But they rarely answer basic doubts like *Why do these things even exist?*, *What problem are they solving?*, *What is the computer actually doing behind the scenes?* which may arise in everyone's mind. --- ## What you’ll learn This track covers the foundations every developer *uses daily* but often doesn’t fully understand the very basic of the basics starting from *What is a Computer (beyond keyboard + screen)* to *How everything connects in real systems* --- ## Who this is for This is a supplement for *Beginners* trying to build strong fundamentals, *Developers* preparing for interviews, *Engineers* who “use things” but want to "understand them deeply" Also just to clarify these are individual blogs that can help you understand what you have already been using or would be using in you current/new role. This is not a guided course. --- ## What to expect I plan to write these blogs in a simple easy to understand language that can help connect the "layman" in us to the "coder" in us. I'll try my level best to make the blogs be with story-driven explanations, clear mental models, real backend/system relevance and no unnecessary jargon (which is very hard to do, so when I use something and any clarity is required on those, Ill try to include what that means in the blog itself and if I miss anything please let me know in comments). --- ## End goal By the end of this series, you won’t just *know* concepts, you’ll be able to **visualize them, reason about them, and use them with confidence in real systems.** --- This is where your foundation stops being *memorized* and starts becoming **intuitive**.

Up next

What is XSS (Cross-Site Scripting)?

How a website accidentally runs someone else’s code

More from this blog

C

Code as a Story

13 posts

Code as a Story Simply breaks down computer science and backend concepts into clear, story-driven explanations. No jargon or textbook overload, just intuitive understanding backed by real world engineering insights. Learn how things actually work, not just how to use them.