Best Practices - Cross-Site Request Forgery

Last updated: July 9, 2026

Cross-Site Request Forgery



Vulnerability Overview

Cross-Site Request Forgery or CSRF (CWE-352) is an attack that occurs when the web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent HTTP request was intentionally provided by the user who submitted the request.

A CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate requests and forged requests.

The flaw occurs when the application does not have any mechanism to distinguish between legitimate requests and forged requests.

Recommended Security Controls

According to the OWASP​ and ​MITRE​ recommendations, there are a few approaches to mitigate CSRF attacks. Each of these approaches is suitable for specific types of web applications.

The most commonly used and recommended solution is via the ​Synchronizer Token Pattern​. Using this security control, CSRF tokens are generated on the server-side. They can be generated once per user session or for each request. Per-request tokens are more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. In per-session token implementation after initial generation of a token, the value is stored in the session and is used for each subsequent request until the session expires.

When an HTTP request is issued by the client, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, the user session terminated and the event logged as a potential CSRF attack in progress.

CSRF tokens prevent CSRF attacks because without knowing the correct CSRF token, attackers cannot create valid HTTP requests to the backend server.

Another security control is the validation of the HTTP request’s origin via standard HTTP request headers​. There are two steps to this mitigation, both of which rely on examining an HTTP request header value:

  1. Determining the origin the request is coming from (source origin) which can be achieved via Origin or Referer headers.

  2. Determining the origin the request is going to (target origin).

On the server side, if both are verified as matching, the request is accepted as legitimate (meaning it's the same origin request) and if not we discard the request (meaning that the request originated from cross-domain). Such headers are deemed reliable and trustworthy as they cannot be altered programmatically (using JavaScript with an XSS vulnerability) since they fall under the forbidden headers list, meaning that only the browser can set them.

How Waratek’s Protection Works

Waratek offers protection against CSRF attacks via 2 different features in the ARMR http rule:

  1. csrf(synchronized-tokens)

  2. csrf(same-origin)

Users can enable either one of these features or both. OWASP recommends using both security controls, however not all application environments are applicable for both types of security controls.

The CSRF Synchronizer Token Pattern (STP) rule

At a high-level, the CSRF STP rule stops the processing of the JSP/Servlet if the received HTTP request is missing or carries an incorrect CSRF token.

The CSRF STP rule enables the Synchronizer Token Pattern protection, which instructs Waratek to inject CSRF tokens in specific HTML elements. The HTML elements covered are:

  • ​ elements in which the token is injected as a hidden input field.
  • elements in which the token is injected in the URL specified by its href attribute.

  • ​ and