LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

How do you implement CSRF protection in an HTML form?

Embed a hidden, unpredictable CSRF token in the form and validate it server-side — a forged cross-site request can't supply the right one.

HTML form with CSRF token:

<form action="/transfer" method="POST">
  <input type="hidden" name="csrf_token" value="a8f3b2c1d4e5...">
  <input name="amount" value="100">
  <button type="submit">Transfer</button>
</form>

Server-side validation (pseudocode):

if request.POST['csrf_token'] != session['csrf_token']:
    return 403 Forbidden

Why it works: The attacker can craft a cross-site form submission, but they cannot read the CSRF token from your page (same-origin policy prevents it). Without the correct token, the server rejects the request.

Even better: Combine with SameSite=Lax or SameSite=Strict cookie attribute for defense-in-depth.

See: OWASP CSRF Prevention Cheat Sheet

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jun 20, 2026