Cross-Site Request Forgery, or CSRF, is a trick where a bad site makes your browser do something on another site where you are already logged in, without you realizing it.

How it works

When you log in to a site (like your bank), your browser stores a cookie so you stay logged in. If you visit a malicious site, it can secretly tell your browser to send a request to your bank—like "transfer money" - and your bank will think it came from you, since your cookie is still valid.

Analogy

It's like leaving a signed blank check on your desk. Someone else writes their own amount on it and cashes it. The bank trusts the signature, even though you never agreed to that payment. That's exactly how CSRF abuses your logged-in session.