This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CSRF Mitigation methods

Revision as of 20:01, 7 September 2014 by A V Minhaz (talk | contribs)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
For more information on CSRF visit:

OWASP CSRF Protector Project

OWASP CSRF Protector project comes in two parts :

  • Standalone php library: This library can be both easily integrated with both existing web application or easily used while developing a new one.
  • Transparent Apache Module: Can be installed on Apache 2.x.x servers to provide CSRF mitigation without doing any modification in web application logic or codes.


Properties / Tool CSRF Protector - php library mod_csrfprotector apache module
Dependencies None None
Works with php >= 4.3 Apache 2.2.x
Current Status Alpha Version released Alpha Version released
Protection CSRF Protection for php web applications CSRF Protection for apache 2.2.x servers, irrespective of languages used as server side script!
NOJS Support Yes (Separate version supporting NoJS) No

OWASP CSRF Guard Project

info will be added soon