the CSRF token

Hello world, my name is rrouwelng and I am here to talk about the CSRF token.

So, what is a CSRF token? A Cross-Site Request Forgery token is a unique and unpredictable value generated by server-side application. This was developed as a countermeasure to the Cross-Site Request Forgery attack that was first documented in the early 2000's.

What is a Cross-Site Request Forgery attack ? Allow me to give an example.

This is Bob,

Bob, logs into his bank at

Bob then decided to go read an article at a certain website at

Please note that Bob hasn't logged out of his bank account.

The site 'welikekittens.com' is set up by a malicious actor(call him swipper).

The website(welikekittens.com) is set up to send a form that is basically just a POST request to Bob's bank website that basically tells it to credit a certain amount of money to the account of the attackers choosing.

Because of how browsers work, every request(GET, POST or otherwise ) sent from bob's browser to the bank's server has the authentication cookies that Bob was given when he logged into the bank. This includes requests that weren't sent by Bob himself and are being sent by the malicious site.

To counteract this, Bob's bank decides to use a CSRF-Token. When Bob interacts with the Bank interface, he receives a CSRF token that is embedded on the page. So now, if welikekittens.com tries to send a request from bob's browser, the bank's server checks the form to see if the CSRF token is included in the form.

Since it is not included the request is automatically denied because the request doesn't include the CSRF token. As a bonus because of the Same-Origin Policy(basically means that one website cannot read the contents of another website unless they are from the same host. Feel free to look it up) welikekittens.com is unable to see the token and bob's bank account is safe for now.

And that is CSRF tokens in a nutshell, feel free add or discredit what I have written (with proof of course :) ).