Forms with no visible CSRF token field

CSRF stands for Cross-Site Request Forgery — an attack where a malicious website tricks a visitor's browser into submitting one of your forms without the visitor's knowledge. A CSRF token is a hidden, unique code added to each form that blocks this type of attack. Without CSRF protection, your forms could be exploited to submit false data, trigger actions (like account changes or purchases) on behalf of logged-in users, or expose your backend to automated abuse. Well-maintained web frameworks include this automatically, so its absence may indicate a custom or older build that needs attention. Ask your developer to add CSRF token protection to all forms that submit data. If your site uses a modern framework (such as Django, Rails, Laravel, or ASP.NET), this is often a single configuration change. For custom builds, tokens need to be generated server-side and verified on submission.

Why this matters

Without CSRF protection, your forms could be exploited to submit false data, trigger actions (like account changes or purchases) on behalf of logged-in users, or expose your backend to automated abuse. Well-maintained web frameworks include this automatically, so its absence may indicate a custom or older build that needs attention.

How to fix it

Ask your developer to add CSRF token protection to all forms that submit data. If your site uses a modern framework (such as Django, Rails, Laravel, or ASP.NET), this is often a single configuration change. For custom builds, tokens need to be generated server-side and verified on submission.