Quiz Entry - updated: 2026.06.20
How do you implement CSRF protection in an HTML form?
Embed a hidden, unpredictable CSRF token in the form and validate it server-side — a forged cross-site request can't supply the right one.
HTML form with CSRF token:
<form action="/transfer" method="POST">
<input type="hidden" name="csrf_token" value="a8f3b2c1d4e5...">
<input name="amount" value="100">
<button type="submit">Transfer</button>
</form>
Server-side validation (pseudocode):
if request.POST['csrf_token'] != session['csrf_token']:
return 403 Forbidden
Why it works: The attacker can craft a cross-site form submission, but they cannot read the CSRF token from your page (same-origin policy prevents it). Without the correct token, the server rejects the request.
Even better: Combine with SameSite=Lax or SameSite=Strict cookie attribute for defense-in-depth.