# Cross-Site Request Forgery (CSRF) (CWE-352)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

**Stack:** Go

- Prevalence: Medium 3 languages covered
- Impact: High 3 high-severity rules
- Prevention: Documented 3 fix examples

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request.

## Prevention

Prevention strategies for Cross-Site Request Forgery based on 1 Shoulder detection rules.

### Go

Add CSRF middleware to protect state-changing endpoints

## Warning Signs

- [HIGH] State-changing endpoints lack CSRF protection

## Consequences

- Modify Application Data
- Gain Privileges
- Execute Unauthorized Code

## Mitigations

- Use anti-CSRF tokens in all state-changing requests
- Check the Referer header
- Use SameSite cookie attribute

## Detection

- Total rules: 3
- Languages: javascript, typescript, python, go

## Rules by Language

### Go (1 rules)

- **Missing CSRF Protection (Gin)** [HIGH]: State-changing endpoints lack CSRF token protection.
  - Remediation: Add CSRF middleware using gin-csrf.

```go
import "github.com/utrack/gin-csrf"

r := gin.Default()
r.Use(csrf.Middleware(csrf.Options{
    Secret: os.Getenv("CSRF_SECRET"),
}))
r.POST("/transfer", transferHandler)
```

Learn more: https://shoulder.dev/learn/go/cwe-352/csrf-protection