CSRF Token
What is CSRF Token?
CSRF TokenUnpredictable, per-session value embedded in forms or headers so the server can confirm that state-changing requests originate from its own pages.
A CSRF token is the canonical defence against Cross-Site Request Forgery. The server generates a random value, binds it to the user's session, and embeds it in HTML forms or sends it via a custom header. On each state-changing request, the server compares the submitted token to the expected value and rejects mismatches. Variations include synchronizer token pattern (server-side state), double-submit cookies (stateless), and the OWASP HMAC pattern. Modern apps should combine CSRF tokens with SameSite=Lax or Strict cookies, custom request headers verified for the Origin/Referer, and strict CORS configuration. Bearer-token APIs called only from JS do not need a CSRF token but still need anti-replay controls.
● Examples
- 01
Hidden <input type="hidden" name="csrf" value="a8f1..."> field in a form.
- 02
X-CSRF-Token header validated server-side against a per-session secret.
● Frequently asked questions
What is CSRF Token?
Unpredictable, per-session value embedded in forms or headers so the server can confirm that state-changing requests originate from its own pages. It belongs to the Identity & Access category of cybersecurity.
What does CSRF Token mean?
Unpredictable, per-session value embedded in forms or headers so the server can confirm that state-changing requests originate from its own pages.
How do you defend against CSRF Token?
Defences for CSRF Token typically combine technical controls and operational practices, as detailed in the full definition above.