CSRF, or Cross-Site Request Forgery, is a web attack that causes a victim’s browser to send an action to a site where the victim is already authenticated. The browser automatically includes cookies, session tokens, or other credentials, so the request can look legitimate to the server even though the user never intended it.
CSRF matters because it can let an attacker change settings, submit forms, create accounts, or trigger administrative actions without stealing the user’s password. It is especially dangerous on exposed admin panels, dashboards, and other state-changing endpoints. Defenses include per-request anti-CSRF tokens, checking the request Origin or Referer header, using SameSite cookies, and requiring reauthentication for sensitive actions. In practice, security teams look for endpoints that accept browser-based requests without strong anti-forgery controls.