Add a page on CSRF

[wbamberg]

This PR adds a page on CSRF attacks.

It's potentially a replacement for https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention, and compared with that page:

• explains in more concrete terms what a CSRF attack is and how it works
• describes an alternative defense
• describes in a bit more detail about the limitations of SameSite

I wonder if it's worth mentioning somewhere that CSRF is a sort of "write-only" attack: the attacker doesn't get access to the response, and doesn't care about it. So a lot of same-origin policy, which is to do with read access (MDN's own page on SOP says "Cross-origin writes are typically allowed."), isn't applicable.

[github-actions]

Preview URLs

• /en-US/docs/Web/Security/Attacks/CSRF
• /en-US/docs/Web/Security/Attacks

External URLs (5)

URL: /en-US/docs/Web/Security/Attacks/CSRF
Title: Cross-site request forgery (CSRF)

• https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html (1 time) (Note! This may be a new URL 👀)
• https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-02 (1 time) (Note! This may be a new URL 👀)
• https://docs.djangoproject.com/en/5.1/ref/csrf/ (1 time) (Note! This may be a new URL 👀)
• https://owasp.org/ (1 time) (Note! This may be a new URL 👀)
• https://www.djangoproject.com/ (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2025-02-14 21:06:42)