2
It’s confusing because it addresses a subtle vulnerability with web browsers.
Let’s say we have two sites: site.com and evil.com. Then the owner of evil.com can, if he knows the structure of the site.com website (which is easy if he can use it), set up a form targeting it.
<form action="http://target.com/my_account/_delete" method="POST">
<input type="submit" value="Click Here for candy"></input>
</form>
Anyone clicking it and logged into site.com will instantly trigger the action linked to (in this case, destroying their own account).
The idea of a csrf token is that the legitimate form looks like this:
<form action="http://target.com/my_account/_delete" method="POST">
<input type="hidden" name="csrf_token" value="AEyaF8af8AIHJFA0L"></input>
<input type="submit" value="Don't click this unless absolutely sure!"></input>
</form>
and because this value is user specific, and only known by and shown on the website, the users are now safe, and can’t delete their account without going through the proper page first, as any page from the attacker would not know this value.
Hopefully this is clearer.
Source:stackexchange.com