CSRF โ performing action on site as a logged-in user.
Mechanism
Logged into bank.uz โ visit hacker.com โ form silently submits POST to bank.uz.
CSRF token
Hidden input with random string. Server verifies.
SameSite cookies
Set-Cookie: SameSite=Strict.
Custom header
X-CSRF-Token for AJAX.