Cross-Site Request Forgery (CSRF)

Cross-site request forgery, or CSRF, takes advantage of a user’s authenticated browser state to make requests on their behalf from a malicious website. For request handlers that do not require an additional piece of authenticating information (e.g. a CSRF token) this could lead to the unauthorized modification of a user’s data or settings.

On GitHub.com, we utilize Rails’ Authenticity Token to protect against CSRF attacks. All state changing requests require validation of this parameter, which is sent via an HTTP header or POST parameter.

More about CSRF vulnerabilities from OWASP’s Top 10:

CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.