CSRF Protection vs Input Validation

Both are commonly confused. Here is a side-by-side breakdown of what each one does, when to reach for it, and when it would be the wrong choice.

CSRF Protection

CSRF Protection = a secret token your site issues with each form so the server can tell a real submission from one an attacker tricked the browser into sending.

Read full block →

Input Validation

Validation = checking data is correct (email has @). Sanitization = removing danger (no tags). Use BOTH. Validation catches mistakes, sanitization stops attacks.

Read full block →

When to use each

Use CSRF Protection when

  • Any endpoint that changes state using session cookies

    POST, PUT, PATCH, DELETE routes that trust a user's session cookie to authorize the action. Transfers, profile edits, password changes, posting comments, placing orders: all need CSRF protection.

  • You have server-rendered forms behind a login

    Classic Django, Rails, or Laravel apps render HTML forms after a user logs in. These are the exact shape CSRF was designed for. Include the token in every form and let middleware verify it on submit.

  • Your frontend and backend share a cookie-based session

    If a logged-in React or Vue app talks to your API through a session cookie (not a bearer token in the Authorization header), CSRF applies to your API too. Use the double-submit cookie pattern: server sends the token as a readable cookie, JS reads it and echoes it in a request header.

Use Input Validation when

  • You accept ANY data from users

    Forms, search boxes, API endpoints, file uploads. If a user can type or send something, you need to validate it. Never trust input you didn't create.

  • Data will be stored or displayed

    Before saving to a database or showing on a page, validate. Bad data in your database causes bugs forever. Bad data on your page can even attack other users (XSS).

  • You're building any login or signup flow

    Email must be real. Password must meet requirements. Username can't have special characters. These validations protect your users and your system.

  • You process payments or sensitive data

    Credit card numbers have specific formats. Social security numbers have rules. Validating these fields catches typos before expensive payment failures.

When to avoid each

Avoid CSRF Protection when

  • Pure read-only GET endpoints

    CSRF protects against state changes. A GET that only returns data does not need a token, provided it truly is read-only. Do not perform deletes or updates inside a GET handler, some ancient code does, and CSRF cannot save you there.

  • Stateless APIs authenticated by bearer token in a header

    If clients send an Authorization: Bearer ... header (mobile apps, server-to-server, most modern public APIs), no cookie rides along automatically, so there is no forgery to block. CSRF only bites when the browser is attaching credentials for you.

Avoid Input Validation when

  • Data comes from your own code

    If you're passing data between functions you wrote, you don't need to validate again. Validation is for untrusted input: external data you can't control.

  • You're over-validating

    Don't reject valid data with overly strict rules. Not all phone numbers are 10 digits. Not all names use only letters. Validate for safety, not arbitrary formatting.

COURSE

Ready to Build Real Products?

Learn to ship MicroSaaS apps with AI in the Solo Builder course.

Start Building →