NovaBlockNovaBlock
All terms

Cross-Site Request Forgery

Also known as: csrf, xsrf

Tricking a logged-in user's browser into sending an unwanted authenticated request to another site.

Updated 10 February 2026

In a CSRF attack, a page you visit silently submits a form to a different site where you're logged in — transferring money, changing an email, deleting an account. Because your browser attaches the session cookie automatically, the target site sees a legitimate request.

Mitigations include SameSite cookies (which now default to Lax in most browsers), CSRF tokens embedded in forms, and requiring re-authentication for sensitive actions.

Related terms