What is CSRF (Cross-Site Request Forgery)?

An attack where a malicious site triggers a state-changing request against your app while your user is logged in, using the user's cookies.

Full explanation

CSRF exploits the browser's automatic inclusion of cookies with cross-origin requests. If your app performs state-changing actions on cookie-authenticated requests without a CSRF token or SameSite defense, any other site the user visits can trigger those actions. Modern defenses: SameSite=lax cookies (the default), plus a CSRF token on forms, plus origin/referer checks on sensitive endpoints.

Example

Your app has `POST /api/change-email`. A malicious site embeds `<form action='https://yourapp.com/api/change-email' method='POST'>` and auto-submits. If your app accepts it, the user's email changes.

Guide

CSRF protection in Next.js — when you need it, when you don't

Guide

Secure cookies in Next.js — HttpOnly, Secure, SameSite explained

FAQ

Is SameSite=lax enough?

For most apps, yes. For sensitive endpoints (password change, payment auth), add explicit CSRF tokens too.

What is CSRF (Cross-Site Request Forgery)?

Full explanation

Example

Related

FAQ