Appendix C. What is CSRF?

Chapter 6 introduced the concept of cross-site request forgery (CSRF). This appendix takes a closer look at CSRF.

C.1. What is CSRF?

Let’s step out of the CORS mindset for a bit and talk about regular, old same-origin requests. Cookies are always included on same-origin requests, regardless of how that request was initiated. If you’re logged in to, any time your browser navigates to a site, the cookies will be included in the request. It doesn’t matter where the request originates: you can visit directly or click a link to go to Even if a page merely links to an image hosted on, the request for that image will include your cookies. You ...

Get CORS in Action: Creating and consuming cross-origin APIs now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.