CSRF (Cross-Site Request Forgery)

An attack that tricks a logged-in user's browser into sending an unwanted state-changing request to your app.

CSRF abuses the fact that browsers attach your cookies to any request to your domain. If a logged-in user visits a malicious page, that page can silently make their browser POST to your app, changing a password or transferring funds, without the attacker ever seeing the response. The request looks legitimate because it carries the victim's real session.

For a founder it matters because the danger sits in any cookie-authenticated action that changes state, and it's easy to overlook while focusing on features. It remains part of the OWASP Top 10 family of access flaws.

Defend it with anti-CSRF tokens on state-changing requests and SameSite cookies. APIs that authenticate with bearer tokens instead of cookies are largely immune, which is why token-based setups dodge this class of bug.

Related terms

IDOR (Insecure Direct Object Reference)An access-control flaw where changing an ID in a request lets a user read or edit records that belong to someone else.SSRF (Server-Side Request Forgery)A flaw where an attacker tricks your server into making requests to internal systems or cloud metadata it should never reach.SQL injection (SQLi)A flaw where untrusted input is mixed into a database query, letting an attacker read, change, or destroy your data.XSS (Cross-Site Scripting)A flaw where attacker-controlled script runs in another user's browser, letting it steal sessions or act as that user.