what is csrf

Cross-site request forgery (CSRF) is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. In a CSRF attack, an attacker tricks an innocent user into submitting a web request that they did not intend, causing actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end users account. CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. To prevent CSRF attacks, applications need a way to determine if the HTTP request is legitimately generated via the application’s user interface. The best way to achieve this is through a CSRF token, which is a secure random token that is used to prevent CSRF attacks. A CSRF token is a unique, secret, and secure random token that needs to be unique per user session and should be of large random value to make it difficult to guess.