interview

home / developersection / interviews / what is csrf and how do you protect against it in apis?

Ask Question

What is CSRF and how do you protect against it in APIs?

ICSM Computer 204 10-Jun-2025
c# api(s) 
Updated on 10-Jun-2025
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

10-Jun-2025

CSRF (Cross-Site Request Forgery) is a type of web security vulnerability where a malicious website tricks a user's browser into making unauthorized requests to a different site where the user is already authenticated.

Example of a CSRF Attack:

Let’s say:

  • You're logged into https://mybank.com.
  • You visit a malicious site: http://evil.com.
  • That site runs JavaScript like:
<img src="https://mybank.com/api/transfer?amount=1000&to=attacker" />
  • The browser automatically includes cookies for mybank.com with that request — even though the request came from a malicious site.

➡ Result: Money transferred without user’s intention.

CSRF Is a Threat Only When:

  • Authentication is cookie-based (since cookies are automatically sent).
  • The user is logged in.
  • The attacker can trick the user into loading or submitting a request.

How to Protect APIs from CSRF

Method Works With Description
Anti-Forgery Tokens (CSRF Tokens) Cookie-based auth (e.g., MVC, Razor, SPAs with cookies) Server generates a random token, which the client must send back. Server verifies it.
Use Bearer Tokens (e.g., JWT) APIs with headers (not cookies) No cookies → no CSRF risk. Tokens must be manually sent with requests, so attacker can't forge them.
SameSite Cookies Cookie-based sessions Set cookies with SameSite=Strict or Lax so they're not sent on cross-origin requests.
Disable unsafe HTTP methods Public APIs Accept only GET (safe) unless authenticated.
Validate Origin or Referer headers Browser requests Server checks if request is from a trusted domain.

Most Secure Setup for APIs

If your API is:

  • Used by a browser with cookies → use Anti-Forgery Tokens.
  • Used by SPAs, mobile apps, Postman, etc. → use JWTs or API Keys in Authorization headers instead of cookies.

Why JWT is safer for APIs?

  • Stored in memory (not cookies).
  • Must be added to the Authorization header by JavaScript:
Authorization: Bearer <your-token>
  • Attackers cannot forge or steal it with a CSRF attack.

In Summary

Technique Prevents CSRF? Applies To
Anti-forgery token Yes Cookie-auth apps (e.g., MVC forms, Razor pages)
JWT / Bearer token in header Yes APIs (SPAs, mobile apps)
SameSite cookies Yes Prevents auto-sending cookies cross-site
Checking Origin / Referer Yes Basic validation layer (not foolproof)

If your Web API is authenticated using cookies, and it supports browser-based users, you should implement CSRF tokens.

If you're building a RESTful API for SPAs or mobile apps, use bearer tokens or API keys — then CSRF is not a concern.

Would you like a code example of CSRF protection in:

  • ASP.NET MVC with Razor views?
  • Or a token-based authentication setup for Web API?
advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy