Cross-Site Request Forgery, usually shortened to CSRF, is an attack that tricks your browser into performing an action on a site you are already logged into, without you realising it. You never clicked the dangerous button, but your browser sent the request anyway, carrying your active session along with it.
Here is the trick in plain terms. Say you are logged into your bank in one tab. You then open a booby-trapped page in another, and that page silently submits a “transfer money” request to your bank. Because your browser still holds your bank login, the request arrives looking exactly like something you did on purpose. The site has no obvious way to tell the difference. This is different from cross-site scripting, which injects code into a page; CSRF abuses trust the site already placed in your logged-in session.
The trick is not limited to banks. The same attack can change your account email, delete a record, or approve a payment on any site where a single request does something meaningful. A hidden form or an image tag pointing at the target URL is often enough to fire it.
The standard fix is a CSRF token: a secret value the server gives your page and demands back on every sensitive action. A forged request from another site cannot guess it. Most modern frameworks also set the SameSite cookie attribute, which tells the browser not to send your session along on requests coming from another site. Strong authentication and careful security headers reduce the risk further.
At TopDevs we build CSRF protection into every form and action by default, so a malicious page in another tab cannot quietly act on your users’ behalf.