CSRFToken

CSRF token, or cross-site request forgery token, is a secret value used by web applications to distinguish legitimate requests from forged requests that arrive from another site. The token is generated by the server and tied to the user's session or the specific form being submitted.

During a state-changing request (such as POST, PUT, DELETE), the token must be included by the client,

There are two common approaches: synchronizer tokens, where the server stores a token and validates it on

Implementation notes: tokens should be unpredictable, rotated after use, and scoped to a session or form. They

Limitations: CSRF protection does not protect against cross-site scripting (XSS); if an attacker can read the