Cross-Site Request Forgery (CSRF) happens when an attacker tricks a logged-in user into submitting a request they did not intend. For example, clicking a hidden link could cause the user’s browser to perform an admin action like changing settings or deleting data.
Magento uses form keys (CSRF tokens) to make sure each request comes from a real session and not from a forged page. If developers disable or forget this check, attackers can hijack user actions silently. Enforcing CSRF protection is critical for protecting sensitive operations like checkout and admin changes.
# Inspect custom forms in PHTML or layout files
# They should include the form key field:
<input type="hidden" name="form_key" value="<?= $block->getFormKey() ?>" />
# Check controllers for CSRF validation
# Classes should extend \Magento\Framework\App\Action\Action
# and use Magento's CSRF validation pluginsform_key in custom forms.\Magento\Framework\Data\Form\FormKey to generate tokens.<form action="/customer/delete" method="post">
<!-- Missing CSRF token -->
<button type="submit">Delete</button>
</form><form action="/customer/delete" method="post">
<input type="hidden" name="form_key" value="<?= $block->getFormKey() ?>" />
<button type="submit">Delete</button>
</form>