With CSRF Protection
The server checks the token. Real forms pass. Forged requests get a 403.
👤
Victim
🏦 bank.com
evil.com
https://bank.com/transfer
Send money
Amount, recipient, etc.
csrf_token =
a9f2b7...c14
(issued by bank.com)
https://evil.com/win-a-prize
🎉 You've won!
Just click anywhere to claim your reward...
<form action="bank.com/transfer">
<input name="to" value="attacker">
<input name="amount" value="5000">
</form>
csrf_token = ??? (cannot read bank.com's HTML)
🏦
bank.com
CSRF Middleware
Idle
Waiting
POST /transfer
+cookie
+token a9f2...
POST /transfer
+cookie
NO token
✓ Real form passed. Forged request blocked with 403.