Preventing Cross-Site Request Forgery (CSRF) Attacks
Related learning
- Back-end developers deal with the hidden processes that run behind the scenes, building APIs and databases that power the front-end.
- Includes 41 Courses
- With Professional Certification
- Beginner Friendly.105 hours
- A full-stack engineer can get a project done from start to finish, back-end to front-end.
- Includes 51 Courses
- With Professional Certification
- Beginner Friendly.150 hours
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery is a serious vulnerability that results from poor session management. If the requests sent by an application aren’t unique, it’s possible for an attacker to craft a special request and send that to a user. If the user interacts with the crafted request, and sessions aren’t handled properly, an attacker may be able to assume the session identity of that user and carry out requests on their behalf.
In many cases of CSRF, a malicious actor crafts a URL embedded with a request like this:http://bank.com/send?recipient=Stranger&amount=2000
Preventing CSRF Attacks
Cross-Site Request Forgery (CSRF) attacks are relatively easy to mitigate. One of the simplest ways to accomplish this is through the use of CSRF tokens, which are unique values dynamically generated by a server-side application and sent to the client. Since these values are unique for every request, and constantly changing, it is nearly impossible for an attacker to pre-create the URLs/requests for an attack.
Learn more on Codecademy
- Back-end developers deal with the hidden processes that run behind the scenes, building APIs and databases that power the front-end.
- Includes 41 Courses
- With Professional Certification
- Beginner Friendly.105 hours
- A full-stack engineer can get a project done from start to finish, back-end to front-end.
- Includes 51 Courses
- With Professional Certification
- Beginner Friendly.150 hours