CSRF Attack Explained Web Security Guide 2026

In this thread, we’ll break down one of the most dangerous and common web security issues in modern applications: CSRF (Cross-Site Request Forgery) 🔥. You’ll learn how attackers exploit it to silently change user passwords and how to properly defend your applications.

What’s the problem with the password change endpoint? 🔐​

We have a simple endpoint that allows users to change their password. The developer only checks if the user is logged in using a session:

if (!req.session.user)

At first glance, this seems fine 👍
But there’s a critical missing question:

Is this request really coming from the actual user or from an external attacker?

The application blindly trusts the session, which opens the door to CSRF attacks 🧨

---

How CSRF attack works ⚠️​

Browsers automatically attach cookies (including session cookies) to every request sent to a trusted domain.
That means if a user is logged in, any request - legit or malicious - will include their session automatically.

Normal request example:​

POST /change-password
new_password=newPass123

Attack scenario 💣​

An attacker creates a malicious webpage:

<form action="https://victim.com/change-password" method="POST">
  <input type="hidden" name="new_password" value="hacked123">
</form>

<script>
document.forms[0].submit();
</script>

When the victim opens this page while logged in:

• The browser automatically sends the session cookie 🍪
• The server thinks the request is legitimate
• The password gets changed without the user’s consent 😱

---

Why this code is dangerous 🚨​

In the original implementation:

new_password = req.body.new_password

Here’s what’s wrong:

• No confirmation of current password
• No CSRF protection at all
• Full trust in session authentication

This allows any external website to trigger sensitive actions on behalf of the user.

---

Impact of CSRF attacks 💥​

CSRF vulnerabilities can lead to serious damage, including:

• Unauthorized password changes 🔑
• Full account takeover
• Performing actions without user consent
• Abuse of admin or privileged sessions

This makes CSRF especially dangerous in banking, admin dashboards, and SaaS platforms.

---

How to fix CSRF vulnerabilities 🛡️​

1. Use CSRF tokens​

Generate a unique token for each session and validate it on every sensitive request:

const csrf = require('csurf');
app.use(csrf());

This ensures only legitimate requests from your frontend are accepted.

2. Require current password confirmation​

if (users[username].password !== req.body.current_password) {
    return res.status(403).send("Wrong current password");
}

This adds an extra layer of protection before allowing password changes.

3. Use secure cookies​

Avoid this ❌:

secure: false

Use this instead ✅:

secure: true

Because secure: false allows cookies to be sent over HTTP, which can be intercepted easily 🚨

---

Best security practices 🔒​

To properly secure your web applications:

• Always use CSRF protection middleware
• Enable SameSite cookie attributes
• Enforce HTTPS across the entire app
• Require re-authentication for sensitive actions
• Validate request origin when possible

---

Conclusion 🧠​

CSRF attacks don’t break your server directly - they exploit the trust between the browser and your application.
If your app relies only on sessions without CSRF protection, attackers can silently perform actions on behalf of users without them ever noticing.