Cross-Site Request Forgery (CSRF)

Status: draft · Confidence: medium (0.635) · Basis: verified_sources

Quality notes: generic_source_homepage, no_verified_sources, partial_source_verification

## TL;DR

CSRF forces authenticated users to execute unwanted actions on a web application. The attacker tricks the victim's browser into sending a request that the application treats as legitimate because it carries the user's session cookie. Prevention: anti-CSRF tokens, SameSite cookies, custom headers.

## Core Explanation

SameSite cookie attribute (2020+): `Strict` (never sent cross-site), `Lax` (default since Chrome 80, sent on top-level navigation GET), `None` (always sent, requires Secure). Modern frameworks (Laravel, Django, Rails) include CSRF protection by default. Double-submit cookie pattern: send token in both cookie and request header.

## Further Reading

-

## Related Articles

- [Cross-Site Scripting (XSS)](../cross-site-scripting-xss.md)
- [AI for Archaeology: Site Detection, Artifact Classification, and Digital Heritage Preservation](../../ai/ai-for-archaeology.md)
- [AI for Location Intelligence: Geospatial Analytics, POI Recommendation, and Site Selection](../../ai/ai-location-intelligence.md)