HTML Security: Securing Forms Against CSRF Attacks

By Alessandro D.P.4 min readFebruary 26, 2026

To effectively mitigate CSRF vulnerabilities, developers should adopt a combination of techniques, including the use of anti-CSRF tokens, SameSite cookies, and proper validation mechanisms. This article will delve into these strategies, providing clear examples and best practices.

Understanding CSRF

CSRF exploits the trust that a web application has in the user's browser. When a user is authenticated and visits a malicious site, the attacker can send requests to the legitimate site using the user's credentials. This can result in actions such as changing passwords, transferring funds, or altering user settings without the user's consent.

Example of a CSRF Attack

Consider a user who is logged into their bank account and visits a malicious site that contains the following HTML code:

<form action="https://bank.com/transfer" method="POST">
    <input type="hidden" name="amount" value="1000">
    <input type="hidden" name="to" value="attacker_account">
    <input type="submit" value="Transfer Funds">
</form>

When the user unknowingly submits this form, the bank processes the request, thinking it is a legitimate action from the authenticated user.

Best Practices for CSRF Protection

1. Implement Anti-CSRF Tokens

Anti-CSRF tokens are unique, unpredictable values generated for each user session. These tokens must be included in every state-changing request, allowing the server to validate the legitimacy of the request.

Example Implementation

In a typical form submission, you can include an anti-CSRF token as follows:

<form action="/submit" method="POST">
    <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
    <input type="text" name="username" required>
    <input type="password" name="password" required>
    <input type="submit" value="Login">
</form>

On the server side, ensure to validate the token:

session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
        die("CSRF token validation failed.");
    }
    // Proceed with processing the form
}

2. Use SameSite Cookies

The SameSite attribute for cookies can help mitigate CSRF by restricting how cookies are sent with cross-site requests. Setting this attribute to Lax or Strict can prevent cookies from being sent in cross-origin requests.

Example of Setting SameSite Cookies

In PHP, you can set a cookie with the SameSite attribute as follows:

setcookie('session_id', $sessionId, [
    'expires' => time() + 3600,
    'path' => '/',
    'domain' => 'yourdomain.com',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Strict' // or 'Lax'
]);

3. Validate Referer Header

Another method to protect against CSRF is to validate the Referer header of incoming requests. This can help ensure that requests are coming from trusted sources.

Example of Validating Referer Header

$allowed_referers = ['https://yourdomain.com', 'https://www.yourdomain.com'];

if (isset($_SERVER['HTTP_REFERER'])) {
    $referer = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
    if (!in_array($referer, $allowed_referers)) {
        die("Invalid referer.");
    }
}

4. Limit HTTP Methods

Restricting the HTTP methods allowed for certain actions can also reduce the risk of CSRF. For example, state-changing actions should only accept POST requests.

Example of Restricting Methods

In your server configuration or application logic, ensure that sensitive actions are only accessible via POST:

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    die("Method not allowed.");
}

Summary of CSRF Protection Techniques

Technique	Description	Implementation Example
Anti-CSRF Tokens	Unique tokens for each session to validate requests	`<input type="hidden" name="csrf_token" value="{{ csrf_token }}">`
SameSite Cookies	Restrict cookie transmission with cross-site requests	`setcookie('session_id', $sessionId, ['samesite' => 'Strict']);`
Referer Header Validation	Check the source of requests to ensure legitimacy	`if (!in_array(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST), $allowed_referers))`
Limit HTTP Methods	Restrict actions to specific HTTP methods	`if ($_SERVER['REQUEST_METHOD'] !== 'POST')`

Conclusion

Securing HTML forms against CSRF attacks is essential for protecting user data and maintaining the integrity of web applications. By implementing anti-CSRF tokens, utilizing SameSite cookies, validating referer headers, and restricting HTTP methods, developers can significantly mitigate the risks associated with CSRF vulnerabilities.

Learn more with useful resources: