Why does the "CSRF form protection" check matter?

Without CSRF protection, an attacker can make logged-in users perform actions (transfers, password changes, orders) without their knowledge. It's one of the most widespread vulnerabilities.

How to fix "CSRF form protection"?

Enable your framework's CSRF protection: **Django** (`CsrfViewMiddleware` + `{% csrf_token %}` in forms), **Laravel** (`VerifyCsrfToken` middleware + `@csrf`), **Flask** (Flask-WTF: `CSRFProtect(app)` + `{{ csrf_token() }}` in forms). For AJAX requests, send the token via an `X-CSRFToken` HTTP header. Use browser developer tools (Network tab) to verify every POST request carries the token.

Security Check n°10 / 120

CSRF form protection

Imagine someone creates a fake "order" button on their site, and clicking it triggers a real order on another site where you're logged in. T…

Analyse my site for free

← All checks

What is it?

Understanding "CSRF form protection"

CSRF (Cross-Site Request Forgery) is an attack that forces an authenticated user to execute unwanted actions on a website. The attacker creates a malicious page that, when visited by a victim logged into your site, automatically sends HTTP requests to your domain with the victim's authentication cookies — which the browser attaches automatically to all requests to your domain.

CSRF protection relies on a secret token unique to each session, included in every HTML form and verified server-side. Since this token is not accessible by scripts from other domains (same-origin protection), a malicious site cannot reproduce it. CSRF is part of the OWASP Top 10.

❌ Without CSRF token — forced action possible

Malicious site

→ forged POST + victim's cookies →

⚠️ Forced action

✅ With CSRF token — forged requests rejected

Malicious site

→ POST without valid token →

🛡️ Server verifies
the token

→ 403 Rejected ❌

Legitimate form

→ POST + valid token →

✅ Accepted

How we check it

How TheSiteFuse checks "CSRF form protection"

TheSiteFuse downloads the HTML code from the homepage and detected forms, and checks for hidden fields (<input type="hidden">) whose names match common CSRF token patterns: csrf_token, _csrf, _token, csrfmiddlewaretoken. The check flags an absence if no POST form contains a token. GET forms are not concerned.

Risks if it fails

Why "CSRF form protection" matters

Without CSRF protection, your logged-in users are vulnerable to silent attacks:

Unauthorised transfers — if your site allows transfers or payments, a logged-in user visiting a malicious site can trigger a transfer without knowing it.
Account modification — email, password, address changes — all these actions can be forced by a CSRF request.
Content publishing — forcing a user to publish a fraudulent comment, message or review.
Admin actions — if the victim is an administrator, the impact can be catastrophic: creating admin accounts, modifying system settings, deleting data.

How to fix

Fix "CSRF form protection" step by step

Flask (Flask-WTF)

pip install flask-wtf

# app.py
from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)

# In each template:
<form method="post">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
</form>

Django

# In each template:
<form method="post">
    {% csrf_token %}
</form>

Laravel

<form method="POST">
    @csrf
</form>

For AJAX / Fetch requests

const token = document.querySelector('meta[name="csrf-token"]').content;
fetch('/api/action', {
    method: 'POST',
    headers: { 'X-CSRFToken': token },
    body: JSON.stringify(data)
});

Verify

curl -X POST https://yoursite.com/my-form -d "field=value"

Learn more

Reference resource

To deepen your understanding of the technical concepts behind this check, see the dedicated Wikipedia article.

Wikipedia — CSRF form protection

Does your site pass this check?

Run the free full audit (120 checks) and instantly discover what needs fixing.

Previous Permissions-Policy header Next Brute force / rate limiting protection