Answer:
A CSRF (Cross-Site Request Forgery) token is a security measure used to protect against unauthorized requests sent from another website. When using CSRF protection in a web application, a secret key is required to validate the token and ensure that the request is legitimate.
Example:
Suppose you have a web form that allows users to submit sensitive data. To protect against CSRF attacks, you can include a CSRF token in the form and validate it on the server side before processing the request.
Here’s a simple example of how you can implement CSRF protection in a web form:
<form action="/submit" method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}">
<input type="text" name="data" placeholder="Enter sensitive data">
<input type="submit" value="Submit">
</form>
In the example above, we have included a hidden input field named “csrf_token” with the value dynamically generated by the server-side code (e.g., using a framework like Django, Laravel, etc.). This CSRF token is typically stored in the session or sent as a cookie.
On the server side, when the form is submitted, you need to validate the CSRF token before processing the request. If the token is invalid or missing, you can abort the request and display an error message.
// Example server-side validation (Python with Django)
def submit(request):
if request.method == 'POST':
csrf_token = request.POST.get('csrf_token')
if csrf_token and csrf_token == request.session.get('csrf_token'):
# CSRF token is valid, process the request
data = request.POST.get('data')
# Process the data...
else:
# CSRF token is invalid or missing
return HttpResponse('Invalid CSRF token', status=401)
In the server-side validation code above (using Django as an example), we retrieve the submitted CSRF token from the POST data and compare it with the token stored in the session. If they match, we process the request; otherwise, we return an error response.
By including and validating the CSRF token in your web forms, you can protect against CSRF attacks where an attacker tries to trick a user into performing unwanted actions on their behalf.