JavaScript Security

CSRF Protection

Prevent Cross-Site Request Forgery attacks

Find videos you like?

Save to resource drawer for future reference!

What is CSRF (Cross-Site Request Forgery)?

CSRF is an attack that tricks a user's browser into making unwanted requests to a website where they're authenticated. Attackers exploit the browser's automatic inclusion of cookies to perform actions on behalf of the victim.

How CSRF Works

1. User logs into legitimate site (e.g., bank.com)
2. Browser stores authentication cookie
3. User visits malicious site (evil.com)
4. Malicious site triggers request to bank.com
5. Browser automatically includes cookie
6. Bank accepts request as legitimate

CSRF Attack Scenario

Understanding the vulnerability

Example: Money Transfer

User is logged into bank.com. Attacker sends email with hidden form:

<form action="https://bank.com/transfer" method="POST" id="csrf"> <input type="hidden" name="to" value="attacker-account"> <input type="hidden" name="amount" value="10000"> </form> <script>document.getElementById('csrf').submit();</script>

❌ Browser sends cookies automatically → Money transferred without user's knowledge!

Other Attack Vectors

• Image tags: <img src="bank.com/transfer?to=attacker">
• AJAX requests from malicious sites
• Hidden iframes with forms
• Link clicks that trigger state changes

Example 1: Vulnerable Backend

❌ No CSRF protection

// ❌ VULNERABLE: No CSRF token verification
app.post('/transfer', (req, res) => {
  // Only checks if user is authenticated via cookie
  if (!req.session.userId) {
    return res.status(401).send('Unauthorized');
  }
  
  // Performs action without verifying request origin
  const { to, amount } = req.body;
  transferMoney(req.session.userId, to, amount);
  
  res.send('Transfer successful');
});

// ❌ VULNERABLE: Frontend form without token
<form action="/transfer" method="POST">
  <input name="to" value="recipient-account">
  <input name="amount" value="100">
  <button>Transfer</button>
</form>

// Attacker can trigger this from ANY website!

CSRF Protection Methods

Defense strategies

CSRF Tokens

Generate unique token per session/request

•Include in form as hidden field
•Send in custom header for AJAX
•Verify on server before action

SameSite Cookies

Browser prevents cookies in cross-site requests

•SameSite=Strict (most secure)
•SameSite=Lax (balanced)
•No cookies on cross-origin POST

Double Submit Cookie

Send token in both cookie and request body

•Set token in cookie
•Read cookie via JavaScript
•Send same value in header/body

Custom Headers

Leverage CORS to require custom headers

•Simple forms can't set custom headers
•Use with AJAX/fetch requests
•Example: X-Requested-With

Example 2: CSRF Token Protection

✅ Secure implementation with tokens

// Backend: Generate and validate CSRF tokens
import crypto from 'crypto';

// Generate CSRF token
function generateCSRFToken() {
  return crypto.randomBytes(32).toString('hex');
}

// Middleware to generate token
app.use((req, res, next) => {
  if (!req.session.csrfToken) {
    req.session.csrfToken = generateCSRFToken();
  }
  res.locals.csrfToken = req.session.csrfToken;
  next();
});

// Middleware to verify token
function verifyCSRFToken(req, res, next) {
  const token = req.body._csrf || req.headers['x-csrf-token'];
  
  if (!token || token !== req.session.csrfToken) {
    return res.status(403).json({ error: 'Invalid CSRF token' });
  }
  
  next();
}

// ✅ PROTECTED: Transfer endpoint with CSRF protection
app.post('/transfer', verifyCSRFToken, (req, res) => {
  if (!req.session.userId) {
    return res.status(401).send('Unauthorized');
  }
  
  const { to, amount } = req.body;
  transferMoney(req.session.userId, to, amount);
  
  res.send('Transfer successful');
});

// Render token in page
app.get('/transfer-page', (req, res) => {
  res.render('transfer', { csrfToken: req.session.csrfToken });
});

Example 3: Frontend CSRF Token Usage

Including tokens in requests

// ✅ Method 1: Hidden field in form
<form action="/transfer" method="POST">
  <input type="hidden" name="_csrf" value="<%= csrfToken %>">
  <input name="to" value="recipient-account">
  <input name="amount" value="100">
  <button>Transfer</button>
</form>

// ✅ Method 2: AJAX with custom header
function transferMoney(to, amount) {
  // Get token from meta tag
  const token = document.querySelector('meta[name="csrf-token"]').content;
  
  fetch('/transfer', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-CSRF-Token': token  // Custom header
    },
    credentials: 'same-origin',  // Include cookies
    body: JSON.stringify({ to, amount })
  })
  .then(response => {
    if (!response.ok) throw new Error('Transfer failed');
    return response.json();
  })
  .then(data => console.log('Success:', data))
  .catch(error => console.error('Error:', error));
}

// ✅ Method 3: Axios with interceptor
import axios from 'axios';

// Set CSRF token for all requests
axios.defaults.xsrfCookieName = 'csrftoken';
axios.defaults.xsrfHeaderName = 'X-CSRF-Token';

// Or use interceptor
axios.interceptors.request.use(config => {
  const token = document.querySelector('meta[name="csrf-token"]').content;
  config.headers['X-CSRF-Token'] = token;
  return config;
});

// Now all requests include token automatically
axios.post('/transfer', { to: 'account', amount: 100 });

Example 4: SameSite Cookie Protection

Modern browser-based CSRF defense

// ✅ Set SameSite attribute on session cookies

// Express with cookie-session
app.use(cookieSession({
  name: 'session',
  secret: 'your-secret-key',
  sameSite: 'strict',  // or 'lax'
  httpOnly: true,      // Prevent JavaScript access
  secure: true,        // HTTPS only
  maxAge: 24 * 60 * 60 * 1000  // 24 hours
}));

// Express with express-session
app.use(session({
  secret: 'your-secret-key',
  cookie: {
    sameSite: 'strict',
    httpOnly: true,
    secure: true,
    maxAge: 24 * 60 * 60 * 1000
  }
}));

// Manual cookie setting
res.cookie('sessionId', sessionId, {
  sameSite: 'strict',  // Prevents cross-site usage
  httpOnly: true,
  secure: true
});

/*
SameSite Values:
- Strict: Never send cookie cross-site (most secure)
- Lax: Send on top-level navigation (GET only)
- None: Always send (requires Secure flag)
*/

// ✅ Example with different SameSite values
// Strict - No cross-site cookies at all
res.cookie('auth', token, { sameSite: 'strict' });
// Even clicking link from google.com won't send cookie

// Lax - Allows safe cross-site navigation
res.cookie('auth', token, { sameSite: 'lax' });
// Link from google.com → yoursite.com (cookie sent)
// Form POST from evil.com → yoursite.com (cookie NOT sent)

// None - No protection (not recommended)
res.cookie('tracking', id, { sameSite: 'none', secure: true });
// Only use for legitimate cross-site scenarios

CSRF Protection Best Practices

Security guidelines

✅ Do

• Use CSRF tokens for state-changing operations
• Set SameSite=Lax or Strict on cookies
• Verify Origin/Referer headers
• Use POST/PUT/DELETE for state changes
• Implement token rotation
• Use HttpOnly and Secure cookie flags
• Require re-authentication for sensitive actions
• Use CORS properly for APIs

❌ Don't

• Use GET for state-changing operations
• Rely solely on cookies for authentication
• Skip CSRF protection on "minor" actions
• Use predictable tokens
• Store tokens in localStorage (XSS risk)
• Disable SameSite for convenience
• Forget to verify token on server
• Trust client-side validation only

Key Takeaways

🔑

Use CSRF Tokens

Generate unique tokens per session
Verify on every state-changing request

🍪

SameSite Cookies

Set SameSite=Lax or Strict
Modern, effective CSRF defense

🚫

No GET for State Changes

Use POST/PUT/DELETE only
GET should be read-only

🔒

Layer Defenses

Tokens + SameSite + Origin checks
Defense in depth approach

Critical for State Changes

CSRF protection is essential for any action that modifies data (transfers, deletions, updates). Combine multiple techniques for strongest defense!

Previous Topic

XSS Prevention

Cross-site scripting attacks and mitigation.

Next Topic

Content Security Policy

CSP headers for enhanced security.

Ask a Question

Have a question about CSRF Protection? Ask our AI assistant.

🔐 Login to use AI Assistant

JavaScript Code Editor

Write and experiment with JavaScript code.

Output

Click "Run Code" to see the output.

JavaScript Security

CSRF Protection

Prevent Cross-Site Request Forgery attacks

Find videos you like?

Save to resource drawer for future reference!

What is CSRF (Cross-Site Request Forgery)?

How CSRF Works

CSRF Attack Scenario

Understanding the vulnerability

Example: Money Transfer

User is logged into bank.com. Attacker sends email with hidden form:

❌ Browser sends cookies automatically → Money transferred without user's knowledge!

Other Attack Vectors

• Image tags: <img src="bank.com/transfer?to=attacker">
• AJAX requests from malicious sites
• Hidden iframes with forms
• Link clicks that trigger state changes

Example 1: Vulnerable Backend

❌ No CSRF protection

// ❌ VULNERABLE: No CSRF token verification
app.post('/transfer', (req, res) => {
  // Only checks if user is authenticated via cookie
  if (!req.session.userId) {
    return res.status(401).send('Unauthorized');
  }
  
  // Performs action without verifying request origin
  const { to, amount } = req.body;
  transferMoney(req.session.userId, to, amount);
  
  res.send('Transfer successful');
});

// ❌ VULNERABLE: Frontend form without token
<form action="/transfer" method="POST">
  <input name="to" value="recipient-account">
  <input name="amount" value="100">
  <button>Transfer</button>
</form>

// Attacker can trigger this from ANY website!

CSRF Protection Methods

Defense strategies

CSRF Tokens

Generate unique token per session/request

•Include in form as hidden field
•Send in custom header for AJAX
•Verify on server before action

SameSite Cookies

Browser prevents cookies in cross-site requests

•SameSite=Strict (most secure)
•SameSite=Lax (balanced)
•No cookies on cross-origin POST

Double Submit Cookie

Send token in both cookie and request body

•Set token in cookie
•Read cookie via JavaScript
•Send same value in header/body

Custom Headers

Leverage CORS to require custom headers

•Simple forms can't set custom headers
•Use with AJAX/fetch requests
•Example: X-Requested-With

Example 2: CSRF Token Protection

✅ Secure implementation with tokens

// Backend: Generate and validate CSRF tokens
import crypto from 'crypto';

// Generate CSRF token
function generateCSRFToken() {
  return crypto.randomBytes(32).toString('hex');
}

// Middleware to generate token
app.use((req, res, next) => {
  if (!req.session.csrfToken) {
    req.session.csrfToken = generateCSRFToken();
  }
  res.locals.csrfToken = req.session.csrfToken;
  next();
});

// Middleware to verify token
function verifyCSRFToken(req, res, next) {
  const token = req.body._csrf || req.headers['x-csrf-token'];
  
  if (!token || token !== req.session.csrfToken) {
    return res.status(403).json({ error: 'Invalid CSRF token' });
  }
  
  next();
}

// ✅ PROTECTED: Transfer endpoint with CSRF protection
app.post('/transfer', verifyCSRFToken, (req, res) => {
  if (!req.session.userId) {
    return res.status(401).send('Unauthorized');
  }
  
  const { to, amount } = req.body;
  transferMoney(req.session.userId, to, amount);
  
  res.send('Transfer successful');
});

// Render token in page
app.get('/transfer-page', (req, res) => {
  res.render('transfer', { csrfToken: req.session.csrfToken });
});

Example 3: Frontend CSRF Token Usage

Including tokens in requests

// ✅ Method 1: Hidden field in form
<form action="/transfer" method="POST">
  <input type="hidden" name="_csrf" value="<%= csrfToken %>">
  <input name="to" value="recipient-account">
  <input name="amount" value="100">
  <button>Transfer</button>
</form>

// ✅ Method 2: AJAX with custom header
function transferMoney(to, amount) {
  // Get token from meta tag
  const token = document.querySelector('meta[name="csrf-token"]').content;
  
  fetch('/transfer', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-CSRF-Token': token  // Custom header
    },
    credentials: 'same-origin',  // Include cookies
    body: JSON.stringify({ to, amount })
  })
  .then(response => {
    if (!response.ok) throw new Error('Transfer failed');
    return response.json();
  })
  .then(data => console.log('Success:', data))
  .catch(error => console.error('Error:', error));
}

// ✅ Method 3: Axios with interceptor
import axios from 'axios';

// Set CSRF token for all requests
axios.defaults.xsrfCookieName = 'csrftoken';
axios.defaults.xsrfHeaderName = 'X-CSRF-Token';

// Or use interceptor
axios.interceptors.request.use(config => {
  const token = document.querySelector('meta[name="csrf-token"]').content;
  config.headers['X-CSRF-Token'] = token;
  return config;
});

// Now all requests include token automatically
axios.post('/transfer', { to: 'account', amount: 100 });

Example 4: SameSite Cookie Protection

Modern browser-based CSRF defense

// ✅ Set SameSite attribute on session cookies

// Express with cookie-session
app.use(cookieSession({
  name: 'session',
  secret: 'your-secret-key',
  sameSite: 'strict',  // or 'lax'
  httpOnly: true,      // Prevent JavaScript access
  secure: true,        // HTTPS only
  maxAge: 24 * 60 * 60 * 1000  // 24 hours
}));

// Express with express-session
app.use(session({
  secret: 'your-secret-key',
  cookie: {
    sameSite: 'strict',
    httpOnly: true,
    secure: true,
    maxAge: 24 * 60 * 60 * 1000
  }
}));

// Manual cookie setting
res.cookie('sessionId', sessionId, {
  sameSite: 'strict',  // Prevents cross-site usage
  httpOnly: true,
  secure: true
});

/*
SameSite Values:
- Strict: Never send cookie cross-site (most secure)
- Lax: Send on top-level navigation (GET only)
- None: Always send (requires Secure flag)
*/

// ✅ Example with different SameSite values
// Strict - No cross-site cookies at all
res.cookie('auth', token, { sameSite: 'strict' });
// Even clicking link from google.com won't send cookie

// Lax - Allows safe cross-site navigation
res.cookie('auth', token, { sameSite: 'lax' });
// Link from google.com → yoursite.com (cookie sent)
// Form POST from evil.com → yoursite.com (cookie NOT sent)

// None - No protection (not recommended)
res.cookie('tracking', id, { sameSite: 'none', secure: true });
// Only use for legitimate cross-site scenarios

CSRF Protection Best Practices

Security guidelines

✅ Do

• Use CSRF tokens for state-changing operations
• Set SameSite=Lax or Strict on cookies
• Verify Origin/Referer headers
• Use POST/PUT/DELETE for state changes
• Implement token rotation
• Use HttpOnly and Secure cookie flags
• Require re-authentication for sensitive actions
• Use CORS properly for APIs

❌ Don't

• Use GET for state-changing operations
• Rely solely on cookies for authentication
• Skip CSRF protection on "minor" actions
• Use predictable tokens
• Store tokens in localStorage (XSS risk)
• Disable SameSite for convenience
• Forget to verify token on server
• Trust client-side validation only

Key Takeaways

🔑

Use CSRF Tokens

Generate unique tokens per session
Verify on every state-changing request

🍪

SameSite Cookies

Set SameSite=Lax or Strict
Modern, effective CSRF defense

🚫

No GET for State Changes

Use POST/PUT/DELETE only
GET should be read-only

🔒

Layer Defenses

Tokens + SameSite + Origin checks
Defense in depth approach

Critical for State Changes

CSRF protection is essential for any action that modifies data (transfers, deletions, updates). Combine multiple techniques for strongest defense!

Coder Pod - Learn Programming Online | AI Coding Tutor & Interview Practice

XSS Prevention

Content Security Policy

JavaScript Code Editor

Building Your Learning Module...

CSRF Protection

What is CSRF (Cross-Site Request Forgery)?

How CSRF Works

Example: Money Transfer

Other Attack Vectors

CSRF Tokens

SameSite Cookies

Double Submit Cookie

Custom Headers

✅ Do

❌ Don't

Key Takeaways

Use CSRF Tokens

SameSite Cookies

No GET for State Changes

Layer Defenses

Critical for State Changes

XSS Prevention

Content Security Policy

JavaScript Code Editor

CSRF Protection

What is CSRF (Cross-Site Request Forgery)?

How CSRF Works

Example: Money Transfer

Other Attack Vectors

CSRF Tokens

SameSite Cookies

Double Submit Cookie

Custom Headers

✅ Do

❌ Don't

Key Takeaways

Use CSRF Tokens

SameSite Cookies

No GET for State Changes

Layer Defenses

Critical for State Changes