CSRF tricks users into performing unwanted actions on sites where they're authenticated.
Attack scenario:
User logs into bank.com
User visits malicious site
Malicious site sends request to bank.com
Browser includes bank.com cookies
Bank processes unauthorized transfer
Prevention:
- CSRF tokens: Server generates token, validates on submission
- SameSite cookies: Prevent cookies from being sent cross-site
- Check Origin/Referer headers
Modern APIs: Use SameSite=Strict or SameSite=Lax cookies.