CSRF exploits the fact that:

• Browsers automatically include cookies (like login sessions) with requests.
• Websites often trust those cookies without verifying the request source.

How websites prevent CSRF

Common protections include:

• CSRF tokens (most important):
  A unique, secret value included in forms that attackers can’t guess.
• SameSite cookies:
  Restr cookies from being sent in cross-site requests.
• Checking headers like Origin or Referer
• Re-authentication for sensitive actions

CSRF is dangerous because it uses your own authenticated session against you—it doesn’t need to hack your password.