CSRF (Cross-Site Request Forgery) is a web attack where an attacker tricks an authenticated user into unintentionally performing an action in a web application — such as a transfer, password change, or configuration modification.
In an ISMS, ISO 27001 Annex A controls A.8.25 (Secure Development) and A.8.26 (Application Security Requirements) address this risk. The standard defense is the anti-CSRF token: a random value sent with form requests and validated server-side. Modern frameworks (Django, Rails, Spring) implement CSRF protection by default. Additional measures include SameSite cookie attributes and Origin/Referer header validation. CSRF has been historically prominent in the OWASP Top 10 and remains relevant for legacy applications.