Mitigation of Cross-Site Request Forgery

Learn about the standard ways of mitigating CSRF attacks.

Overview

From the practice session, we have developed an understanding of the sort of damage CSRF attacks can cause. Thankfully, protecting web applications against CSRF is rather simple. Let’s look at the various methods of mitigation.

Anti-CSRF tokens

Each anti-CSRF token is a random, unique, and secret value with a short expiration time that’s generated on the server and then shared with the client. User actions, such as form submissions, ask the client to include the correct anti-CSRF token in the request for a successful response. Without the token, the attacker can’t really do anything.

If poor coding or design practices have been employed, a crafty adversary could probably remove the use of the token or its requirement altogether or even use the token of another compromised account. A very brief example would be a web application using anti-CSRF tokens with the GET method. The adversary could then clearly see the token and simply use it themselves.

Get hands-on with 1400+ tech skills courses.