Cross-Site Request Forgery (CSRF)
An attacker tricks an authenticated user's browser into making a request to your site, riding the user's session cookie.
GateTest coverage
Caught by: cookieSecurity, webHeaders
Example
A bank's /transfer endpoint accepts GET parameters; an attacker embeds <img src='/transfer?to=evil&amount=1000'> on another site.
How to fix it
Use SameSite=Lax or SameSite=Strict on session cookies. Verify CSRF tokens on state-changing requests. cookieSecurity flags missing SameSite. webHeaders flags missing CSP frame-ancestors.
Scan your repo for CWE-352
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-352 (Cross-Site Request Forgery (CSRF))?
An attacker tricks an authenticated user's browser into making a request to your site, riding the user's session cookie.
How do I fix cross-site request forgery (csrf)?
Use SameSite=Lax or SameSite=Strict on session cookies. Verify CSRF tokens on state-changing requests. cookieSecurity flags missing SameSite. webHeaders flags missing CSP frame-ancestors.
Does GateTest detect cross-site request forgery (csrf)?
Yes — GateTest's cookieSecurity, webHeaders modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Cross-Site Request Forgery (CSRF) in the CWE Top 25?
Cross-Site Request Forgery (CSRF) is ranked #9 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).