What is CSRF? How it works and how to prevent attacks effectively

CSRF (Cross-Site Request Forgery) is becoming one of the biggest threats to network security today. If not careful, users can easily lose money without knowing it. So what is CSRF? How does it work and how to prevent CSRF? Let's  find out with TipsMake  in the following article.

What is CSRF?

CSRF is a type of phishing attack that causes users to unwittingly use their login credentials to perform state-altering operations, such as transferring funds from their account, changing their email address and password, or some other unwanted action.

How does CSRF work?

CSRF attacks exploit the trust between the browser and the user. When you log in, the browser stores information in cookies and automatically sends a request to the server. CSRF occurs when an attacker creates a fake request or exploits an existing request in the browser to send it to the server without the user's knowledge. If the user visits the attacker's website, they can perform unauthorized actions on the website the victim is logged in to.

Example of CSRF attack

In CSRF attacks, an attacker takes advantage of a logged-in user's access to a website to perform unwanted actions without the user's knowledge. 

For example: 

The hacker sends a malicious link via email. When the user clicks on the link, an unwanted request is sent to the website they are logged in to. For example: http://bank.com/transfer?amount=1000&to=attacker_account

If the user is logged into their online banking, this request will transfer $1000 from their account to the attacker's account without their consent.

Or hackers can insert an image tag into a web page that a user visits. When the page loads, the browser automatically sends a GET request to the URL in the src attribute of the image tag. 

How to prevent CSRF attacks?

How to prevent CSRF attacks?

Using CSRF Token

CSRF tokens are an effective way to prevent CSRF attacks. Every time a user makes a request to a server, a unique token is generated and sent along with the request. The server checks this token to confirm that the request is from a valid source. If the token is invalid or does not exist, the server rejects the request.

HTTP Authentication

HTTP authentication is a method that requires the user to provide authentication information (username and password) in the HTTP header when sending a request to a website. The server will check and only fulfill the request if the authentication information is valid.

Training, raising user awareness

Educate users about the consequences of CSRF attacks and how to avoid them, as well as avoiding clicking on strange links or visiting untrusted websites.

Use of Confidential Cookies 

Every request will be sent with cookies, including a secret cookie. The secret cookie can be used to store user session information. Combined with other security measures, this cookie can help authenticate client requests without being tampered with.

Execute Multi-Step Transactions

Multi-step transactions can increase security for important actions like changing a password or transferring funds. For example, requiring the user to confirm information before completing a transaction. Or sending a confirmation code via email or SMS to ensure that the user is the account owner.

Only accept POST requests

When performing important, sensitive operations, only accept POST requests to minimize the risk of CSRF, as most browsers do not automatically send a POST request when a user clicks on a link.

Conclude

Understanding CSRF and how it works is essential to protecting personal information and assets online. By implementing countermeasures such as CSRF tokens, HTTP authentication, and user awareness, we can reduce our risk of being attacked.

Samuel Daniel

Update 12 February 2025