The latest articles on DEV Community by Rouwel Ngacha (@rrouwelng). https://dev.to/rrouwelng https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3924978%2F2d5c38e4-653e-4d1b-8628-91c93c7fd86c.png https://dev.to/rrouwelng en Rouwel Ngacha Mon, 11 May 2026 18:39:13 +0000 https://dev.to/rrouwelng/the-csrf-token-593p https://dev.to/rrouwelng/the-csrf-token-593p <p>Hello world, my name is rrouwelng and I am here to talk about the CSRF token. </p> <p>So, what is a CSRF token? A Cross-Site Request Forgery token is a unique and unpredictable value generated by server-side application. This was developed as a countermeasure to the <strong>Cross-Site Request Forgery attack</strong> that was first documented in the early 2000's. </p> <p>What is a <strong>Cross-Site Request Forgery attack</strong> ? Allow me to give an example.</p> <p>This is Bob,</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj1lrnh879rc547u6jqnf.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj1lrnh879rc547u6jqnf.jpg" alt=" " width="800" height="800"></a></p> <p>Bob, logs into his bank at </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulq6a5yw4jutlzwlf5ks.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulq6a5yw4jutlzwlf5ks.jpg" alt=" " width="800" height="800"></a></p> <p>Bob then decided to go read an article at a certain website at </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2vpnks4och1uvcb198l4.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2vpnks4och1uvcb198l4.jpg" alt=" " width="800" height="800"></a></p> <p>Please note that Bob hasn't logged out of his bank account.</p> <p>The site 'welikekittens.com' is set up by a malicious actor(call him swipper). </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh6h6xeko47lri6sotot3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh6h6xeko47lri6sotot3.png" alt=" " width="478" height="481"></a></p> <p>The website(welikekittens.com) is set up to send a form that is basically just a POST request to Bob's bank website that basically tells it to credit a certain amount of money to the account of the attackers choosing.</p> <p>Because of how browsers work, every request(GET, POST or otherwise ) sent from bob's browser to the bank's server has the authentication cookies that Bob was given when he logged into the bank. This includes requests that weren't sent by Bob himself and are being sent by the malicious site.</p> <p>To counteract this, Bob's bank decides to use a CSRF-Token. When Bob interacts with the Bank interface, he receives a CSRF token that is embedded on the page. So now, if welikekittens.com tries to send a request from bob's browser, the bank's server checks the form to see if the CSRF token is included in the form. </p> <p>Since it is not included the request is automatically denied because the request doesn't include the CSRF token. As a bonus because of the Same-Origin Policy(basically means that one website cannot read the contents of another website unless they are from the same host. Feel free to look it up) welikekittens.com is unable to see the token and bob's bank account is safe for now.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xb9al3tj93v7o2mr1u1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xb9al3tj93v7o2mr1u1.png" alt=" " width="444" height="478"></a></p> <p>And that is CSRF tokens in a nutshell, feel free add or discredit what I have written (with proof of course :) ).</p> beginners cybersecurity security webdev