Cross-Site Request Forgery(CSRF)
An attack where a user's authenticated session is abused to perform actions they did not intend, by tricking their browser into making a request.
In detail
Cross-Site Request Forgery (CSRF) is a class of attack where a logged-in user is tricked into clicking a link or visiting a page that triggers their browser to send a request to a target site, carrying their session cookies. The target site sees an authenticated request and processes it as legitimate. Modern defences include the SameSite cookie attribute (now Lax by default in browsers), anti-CSRF tokens on state-changing requests, and checking the Origin or Referer header.
Why it matters for Australian business
Most modern Australian web apps are already protected by SameSite cookie defaults, but custom-built and vibe-coded apps often expose state-changing endpoints without checking origin or token. The Server Actions feature in Next.js had a recent CSRF advisory (GHSA-mq59-m269-xvcx), which is why we keep frameworks patched and recommend the same to clients.