How developers prevent CSRF?
The classic method used by most developers to properly fix this vulnerability is by adding a secret token or nonce, called an anti-CSRF token, to every sensitive request, which is then verified by the server for authenticity.
Let's come back to our banking web application and see how it can be fixed by adding a secret token alongside other request parameters.
Assuming the user is logged into the banking application, the server assigns his session with a unique anti-CSRF token, say ABC123, to all sensitive forms and URLs. Now to transfer 500 dollars to John the URL would become the following:
https://bank.example.com/transfer/money?username=John&amount=500&token=ABC123
This token parameter's value will be checked and validated by the server with respect to the session of the logged-in user, and if they mismatch then the transfer will be denied. This concept makes use of the fact that a fairly long alphanumeric token will get very difficult for...
