Understanding CSRF
So, you must have noticed something called a CSRF token in the form templates. What does it do? It is a security mechanism against Cross-Site Request Forgery (CSRF) attacks for your forms.
It works by injecting a server-generated random string called a CSRF token, unique to a user's session. Every time a form is submitted, it must have a hidden field that contains this token. This token ensures that the form was generated for the user by the original site, rather than a fake form created by an attacker with similar fields.
CSRF tokens are not recommended for forms using the GET
method because the GET
actions should not change the server state. Moreover, forms submitted via GET
would expose the CSRF token in the URLs. Since URLs have a higher risk of being logged or shoulder-sniffed, it is better to use CSRF in forms using the POST
method.