Expert insights on AI-powered coding security, vibe-based development practices, and protecting AI-generated web applications from vulnerabilities.

· · 2 min read

What Is CSRF (Cross-Site Request Forgery)?

CSRF security web vulnerabilities session security
Cross-Site Request Forgery (CSRF) : An attack that forces authenticated users to execute unwanted actions on a web application where they are currently logged in. The attacker tricks the user’s browser into making a request to the target application, leveraging the user’s existing session cookies.

Why It Matters for AI-Coded Apps

Most AI-generated backends skip CSRF protection entirely. State-changing API endpoints (POST, PUT, DELETE) are created without CSRF tokens, especially in SPA architectures where developers assume the API is only accessed by their frontend. 52% of vibe-coded apps in our research had no CSRF protection on critical endpoints.

Real-World Example

A banking app has an endpoint POST /transfer?to=account&amount=1000. An attacker creates a page with <img src='https://bank.com/transfer?to=attacker&amount=1000'>. When a logged-in bank user visits the attacker’s page, their browser sends the request with valid session cookies, transferring money without the user’s knowledge.

How to Detect and Prevent It

Implement CSRF tokens for all state-changing requests. Use the SameSite cookie attribute (set to Lax or Strict). Verify the Origin and Referer headers on the server. For SPAs using JWT in headers (not cookies), CSRF is less of a concern since tokens aren’t sent automatically.

Frequently Asked Questions

Do SPAs need CSRF protection?

It depends on how authentication works. If you use cookies for auth (including HttpOnly session cookies), yes. If you use Bearer tokens in the Authorization header, CSRF is not a risk because browsers don’t automatically attach custom headers to cross-origin requests.

What is the SameSite cookie attribute?

SameSite is a cookie attribute that controls whether cookies are sent with cross-site requests. Strict never sends cookies cross-site, Lax sends them for top-level navigations (GET only), and None always sends them (requires Secure flag). Lax is the recommended default.

Is CSRF still a threat with modern frameworks?

Modern frameworks like Next.js, Django, and Rails include CSRF protection by default, but it must be properly configured. API-only backends, custom auth implementations, and AI-generated code frequently skip these protections.

Scan your app for security issues automatically

Vibe Eval checks for 200+ vulnerabilities in AI-generated code.

Try Vibe Eval

AI Coding Security Insights.
Ship Vibe-Coded Apps Safely.

Effortlessly test and evaluate web application security using Vibe Eval agents.

GET STARTED GET A DEMO