New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Check if your forms and API endpoints are protected against cross-site request forgery.
Overview
Cross-Site Request Forgery (CSRF) tricks authenticated users into performing unintended actions. Our scanner checks forms and state-changing endpoints for CSRF tokens, SameSite cookie attributes, and other anti-CSRF mechanisms.
What this scanner does
Analyzes forms for CSRF token presence, checks cookie SameSite attributes, tests state-changing endpoints (POST/PUT/DELETE) for anti-CSRF protection, and verifies that the Referer/Origin headers are validated.
Why it matters
Without CSRF protection, an attacker can craft a malicious page that triggers actions on your site — transferring funds, changing passwords, or deleting data — while the victim is logged in. Modern frameworks have built-in CSRF protection, but it is often misconfigured.
Common findings
OWASP Top 10 coverage
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Vulnerability Detection
Detect dangerous CORS policies that could allow unauthorized cross-origin access.
Configuration Audit
Audit cookie flags, session management, and token security for your application.
Vulnerability Detection
Test your login, signup, and password reset flows for common security weaknesses.
