Cross-Site Request Forgery (CSRF)

How do "CSRF Tokens" protect users?

The server sends a unique, secret token to the browser. Every subsequent request from the browser must include this token. An attacker on a different site won't know this token, so their forged requests will be rejected.

Knowledge Challenge

Mastered Cross-Site Request Forgery (CSRF)? Now try to guess the related 6-letter word!

Type or use keyboard

Cross-Site Request Forgery (CSRF)

On this page

Need help?

How do "CSRF Tokens" protect users?

Knowledge Challenge