Cross-Site Request Forgery (CSRF or XSRF) is a web security vulnerability where an attacker tricks a user's browser into sending an unintended request to a website where the user is already authenticated. Because the browser automatically includes cookies (including session cookies) with every request to a domain, a malicious page can forge requests that the server cannot distinguish from legitimate user actions.
Suppose you are logged into your bank at bank.com. An attacker creates a malicious page containing a hidden form that submits a transfer request to bank.com. If you visit the attacker's page while still logged into your bank, your browser sends the request along with your session cookie. The bank's server sees a valid session and processes the transfer. You never clicked anything on the bank's site, but the request was made on your behalf.
CSRF defenses include synchronizer tokens (a unique token in each form that the server verifies), SameSite cookie attributes (which prevent cookies from being sent with cross-origin requests), checking the Origin and Referer headers, and requiring re-authentication for sensitive operations. Modern frameworks like Django, Rails, and Next.js include CSRF protection by default.
CSRF attacks can change passwords, transfer funds, modify account settings, or perform any action the authenticated user can take. The attack requires no special access to the target server -- only that the victim visits a page controlled by the attacker while authenticated to the target. CSRF is consistently listed in the OWASP Top 10 web security risks. Understanding CSRF is essential for any developer building applications with session-based authentication.
The TerminalFeed API uses bearer token authentication (not cookies) for protected endpoints like /api/tweet, which makes it inherently resistant to CSRF. The API Security article discusses authentication patterns and common web vulnerabilities including CSRF.