JavaScript Security: Preventing Cross-Site Request Forgery (CSRF) Attacks

By Alessandro D.P.4 min readMarch 20, 2026

To mitigate CSRF vulnerabilities, developers can implement several techniques, including using anti-CSRF tokens, SameSite cookies, and custom headers. This article will provide a detailed examination of these methods, illustrated with practical code snippets.

Understanding CSRF Tokens

One of the most common methods to prevent CSRF attacks is the use of anti-CSRF tokens. These tokens are unique, secret, and unpredictable values that are generated by the server and sent to the client. The client must include this token in subsequent requests to validate the authenticity of the request.

Implementation Steps

Generate a CSRF Token on the Server: When a user initiates a session or loads a form, generate a unique CSRF token and store it in the user's session.

Embed the Token in Forms: Include the CSRF token as a hidden field in forms or as a custom header in AJAX requests.

Validate the Token on the Server: When the server receives a request, it checks the validity of the CSRF token before processing the request.

Example Code

Here’s a simple example using Node.js and Express:

// Install the necessary packages
// npm install express csurf cookie-parser

const express = require('express');
const cookieParser = require('cookie-parser');
const csrf = require('csurf');

const app = express();
const csrfProtection = csrf({ cookie: true });

app.use(cookieParser());
app.use(express.urlencoded({ extended: true }));

// Middleware to set CSRF token
app.get('/form', csrfProtection, (req, res) => {
    res.send(`
        <form action="/submit" method="POST">
            <input type="hidden" name="_csrf" value="${req.csrfToken()}">
            <button type="submit">Submit</button>
        </form>
    `);
});

// Handle form submission
app.post('/submit', csrfProtection, (req, res) => {
    res.send('Form submitted successfully!');
});

app.listen(3000, () => {
    console.log('Server is running on http://localhost:3000');
});

Token Storage and Transmission

Tokens can be stored in cookies or session storage. If using cookies, ensure they are marked as HttpOnly and Secure to prevent access via JavaScript and to ensure they are only sent over HTTPS.

SameSite Cookies

Another effective method to prevent CSRF is the use of SameSite cookies. This attribute can be set to Strict, Lax, or None, controlling how cookies are sent with cross-origin requests.

Cookie Attributes

Attribute	Description
Strict	Cookies are not sent with requests initiated by third-party websites.
Lax	Cookies are sent with top-level navigation and GET requests initiated by third-party websites.
None	Cookies are sent with all requests, regardless of origin.

Setting SameSite Cookies

Here’s how to set a SameSite cookie in an Express application:

app.use((req, res, next) => {
    res.cookie('sessionId', 'your-session-id', {
        httpOnly: true,
        secure: true,
        sameSite: 'Strict' // or 'Lax'
    });
    next();
});

Custom Headers for AJAX Requests

When making AJAX requests, you can add custom headers to requests that are expected to be safe. This can help in validating that requests are coming from a legitimate source.

Example of Adding Custom Headers

fetch('/api/submit', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'X-CSRF-Token': csrfToken // Include the CSRF token here
    },
    body: JSON.stringify({ data: 'example' })
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Server-Side Validation of Custom Headers

On the server side, validate the presence and correctness of the custom header:

app.post('/api/submit', (req, res) => {
    const csrfToken = req.headers['x-csrf-token'];
    if (!csrfToken || csrfToken !== req.csrfToken()) {
        return res.status(403).send('CSRF token mismatch');
    }
    // Process the request
    res.send('Request processed successfully!');
});

Conclusion

Preventing CSRF attacks is crucial for maintaining the integrity and security of web applications. By implementing anti-CSRF tokens, utilizing SameSite cookie attributes, and validating custom headers, developers can significantly reduce the risk of these types of attacks. Always keep your security practices updated and regularly review your application for vulnerabilities.

Learn more with useful resources: