CSRF tricks an authenticated user into unknowingly submitting a malicious request — exploiting the trust a web application has in the user's browser.
CSRF attack: victim is logged into bank.com → attacker tricks them into clicking a link → browser sends authenticated request to bank.com with their session cookie → unauthorized action performed. Prevention: CSRF tokens (unique per session), SameSite cookie attribute (Strict or Lax), re-authentication for sensitive actions.