Hi everyone, I\u2019m Shreya, and today I want to shed light on some lesser-discussed aspects of Cross-Site Request Forgery (CSRF). While identifying CSRF vulnerabilities during security assessments or bug bounties can often be straightforward, effectively mitigating them requires a deeper understanding of browser behavior, HTTP methods, and secure token handling. In this blog, I\u2019ll share my learnings on how CSRF attacks actually work, why some requests are more vulnerable than others, and the modern strategies you can adopt\u2014both on the client and server side\u2014to strengthen your web application’s defense against CSRF.<\/p>\n\n\n\n
Let’s get started from the basics.<\/p>\n\n\n\n
Cross-Site Request Forgery (CSRF) is a critical web security vulnerability that exploits the trust a website has in a user’s browser. Often overlooked by developers, CSRF attacks can allow malicious websites to perform unauthorized actions on behalf of authenticated users\u2014without their consent or awareness. This blog post dives deep into what CSRF is, how it works under the hood, and why it primarily affects GET and POST requests. We\u2019ll also explore why HTTP methods like PUT are generally considered immune to CSRF and how modern browsers have evolved to defend against these attacks using secure cookie policies and built-in protections.<\/p>\n\n\n\n
Imagine this: You’re logged into your bank account in one browser tab. In another tab, you visit a malicious website. That malicious site can silently submit a request \u2014 like transferring money \u2014 on your behalf to your bank, and your browser will attach your bank session cookie because it’s still valid. The bank thinks the request came from you.<\/p>\n\n\n\n
Here\u2019s how a CSRF attack typically works:<\/p>\n\n\n\n
example.com<\/code>)<\/strong> and obtains an active session via cookies.<\/li>\n\n\n\n- Attacker lures the user to a malicious site (e.g.,
attacker.com<\/code>)<\/strong>. This could happen through phishing emails, social media, or even ads.<\/li>\n\n\n\n- The malicious site silently submits a request<\/strong> (e.g.,
GET<\/code> or POST<\/code>) to example.com<\/code>.<\/li>\n\n\n\n- Browser automatically includes the session cookie<\/strong>, and the request appears valid to the server.<\/li>\n\n\n\n
- The server executes the action<\/strong>, thinking it was initiated by the legitimate user.<\/li>\n<\/ol>\n\n\n\n
Why CSRF Works with GET\/POST But Not with PUT<\/h3>\n\n\n\n
A common question is: Why are GET and POST requests vulnerable to CSRF, while PUT and DELETE are not (or less so)?<\/em><\/p>\n\n\n\nThe reason lies in how browsers behave by default, particularly in how they send requests and handle CORS (Cross-Origin Resource Sharing)<\/strong> and content types<\/strong>.<\/p>\n\n\n\nGET\/POST: Vulnerable by Design<\/h4>\n\n\n\n\n- GET<\/strong> requests can be triggered just by loading an image, iframe, or script.<\/li>\n\n\n\n
- POST<\/strong> requests can be automatically submitted through hidden HTML forms using JavaScript or auto-submit mechanisms.<\/li>\n\n\n\n
- Both allow browser cookies to be sent automatically without user interaction.<\/li>\n\n\n\n
- These methods do not require preflight checks<\/strong> or any additional permissions, making them easy to exploit.<\/li>\n<\/ul>\n\n\n\n
Example CSRF payload using a POST form:<\/p>\n\n\n\n
<form action=\"https:\/\/example.com\/delete-account\" method=\"POST\">\n <input type=\"hidden\" name=\"confirm\" value=\"yes\">\n <input type=\"submit\" value=\"Submit\">\n<\/form>\n<script>document.forms[0].submit();<\/script>\n<\/code><\/pre>\n\n\n\nThis will silently send the form data to example.com<\/code> if the user is logged in.<\/p>\n\n\n\n
\n\n\n\nWhy PUT, DELETE, PATCH Requests Are Safer<\/h4>\n\n\n\n1. CORS Preflight Requirement<\/strong><\/h5>\n\n\n\nWhen a browser sends a request with an “unsafe” HTTP method (e.g., PUT<\/code>, DELETE<\/code>), it first sends a preflight OPTIONS<\/code> request<\/strong> to the server to check permissions. If the server does not explicitly allow the origin, the actual request is blocked.<\/p>\n\n\n\nExample preflight behavior:<\/p>\n\n\n\n
OPTIONS \/update-profile HTTP\/1.1\nOrigin: https:\/\/attacker.com\nAccess-Control-Request-Method: PUT\n<\/code><\/pre>\n\n\n\n2. Content-Type Limitations<\/strong><\/h5>\n\n\n\nHTML forms can only submit a limited set of content types:<\/p>\n\n\n\n
\napplication\/x-www-form-urlencoded<\/code><\/li>\n\n\n\nmultipart\/form-data<\/code><\/li>\n\n\n\ntext\/plain<\/code><\/li>\n<\/ul>\n\n\n\nHowever, many modern APIs require application\/json<\/code>, which cannot be submitted via HTML forms without JavaScript<\/strong> \u2014 and cross-origin JavaScript is restricted by CORS.<\/p>\n\n\n\n3. No HTML Form Support for PUT<\/strong><\/h5>\n\n\n\nHTML forms do not support methods like PUT<\/code> or DELETE<\/code>. They only allow GET<\/code> and POST<\/code>, so a CSRF payload can’t trigger them easily without special scripts.<\/p>\n\n\n\n4. Same-Origin Policy Reinforcement<\/strong><\/h5>\n\n\n\nEven if the attacker tries to send a PUT<\/code> request via JavaScript, the browser\u2019s same-origin policy<\/strong> prevents it from reading or interacting with responses unless the server explicitly permits it via CORS headers.<\/p>\n\n\n\n
\n\n\n\nHow Modern Browsers Help Prevent CSRF<\/h3>\n\n\n\n
To reduce the risk of CSRF, modern browsers now implement several built-in mechanisms that strengthen cookie behavior and reduce the chances of unauthorized cross-site interactions.<\/p>\n\n\n\n
1. SameSite Cookie Attribute<\/strong><\/h4>\n\n\n\nCookies can now include the SameSite<\/code> attribute, which restricts when cookies are sent in cross-site requests.<\/p>\n\n\n\n\nSameSite=Strict<\/code>: Cookies are sent only for same-site requests.<\/li>\n\n\n\nSameSite=Lax<\/code>: Cookies are sent for top-level navigations (e.g., clicking a link).<\/li>\n\n\n\nSameSite=None; Secure<\/code>: Cookies are sent cross-site, but only over HTTPS.<\/li>\n<\/ul>\n\n\n\nExample:<\/strong><\/p>\n\n\n\nSet-Cookie: sessionid=xyz123; SameSite=Lax; Secure; HttpOnly\n<\/code><\/pre>\n\n\n\nThis helps prevent CSRF by ensuring cookies are not included in background requests from third-party sites.<\/p>\n\n\n\n
2. Default to Lax<\/strong><\/h4>\n\n\n\nIf no SameSite<\/code> is specified, modern browsers default to Lax<\/code><\/strong>, offering protection by default against most background CSRF attempts, especially via images or silent requests.<\/p>\n\n\n\n3. Content Security Policy (CSP)<\/strong><\/h4>\n\n\n\nCSP allows you to define what content can be loaded on your site. With frame-ancestors<\/code>, you can prevent your site from being embedded in iframes \u2014 reducing clickjacking and CSRF via malicious UI embedding.<\/p>\n\n\n\nExample CSP:<\/strong><\/p>\n\n\n\nContent-Security-Policy: frame-ancestors 'none';\n<\/code><\/pre>\n\n\n\n4. Cross-Origin Resource Sharing (CORS)<\/strong><\/h4>\n\n\n\nProperly configured CORS headers let you define which external origins<\/strong> can access your resources. If a malicious site tries to make a cross-origin request, the browser blocks it unless it’s allowed.<\/p>\n\n\n\nExample:<\/strong><\/p>\n\n\n\nAccess-Control-Allow-Origin: https:\/\/yourdomain.com\n<\/code><\/pre>\n\n\n\n5. Referrer Policy<\/strong><\/h4>\n\n\n\nA restrictive referrer policy minimizes the leakage of session or origin data when navigating across domains.<\/p>\n\n\n\n
Recommended setting:<\/strong><\/p>\n\n\n\nReferrer-Policy: strict-origin-when-cross-origin\n<\/code><\/pre>\n\n\n\n6. Permissions Policy<\/strong><\/h4>\n\n\n\nUse the Permissions-Policy<\/code> (formerly Feature-Policy<\/code>) to disable unnecessary APIs like geolocation, camera, or microphone for embedded or framed content.<\/p>\n\n\n\nExample:<\/strong><\/p>\n\n\n\nPermissions-Policy: geolocation=(), camera=(), microphone=()\n<\/code><\/pre>\n\n\n\n
\n\n\n\nBest Practices Summary<\/h3>\n\n\n\n
To secure your application against CSRF:<\/p>\n\n\n\n