lrok

// glossary

CSRF

aka: Cross-Site Request Forgery

CSRF is an attack where a malicious site tricks a logged-in user's browser into making unwanted authenticated requests to another site.

CSRF exploits the browser's automatic cookie attachment. If you're logged into bank.com and visit malicious.com, the malicious page can submit a form to bank.com/transfer — and your browser attaches your bank.com session cookie to the request. The bank server sees a legitimate logged-in transfer.

Mitigations: CSRF tokens (a random value the server expects on each state-changing request, included as a hidden form field), SameSite cookies (Strict or Lax), and Origin/Referer header checks. SameSite=Lax is the modern default for new cookies and blocks most CSRF by default.

CSRF is usually invisible during local dev because both your dev server and your browser are on localhost — same origin, no CSRF possible. The bug surfaces in staging or prod.

// shipping?

lrok gives your localhost a public HTTPS URL with a reserved subdomain on the free plan. Useful when this term comes up in a real integration:

$ curl -fsSL https://lrok.io/install.sh | sh
$ lrok http 3000

← all glossary terms