Does PowerWAF work with single-page applications (SPAs)?

Yes. SPAs typically use AJAX requests with custom headers (like X-Requested-With), which provides natural CSRF protection since browsers enforce CORS for such requests. PowerWAF enhances this by validating origins, enforcing CORS policies, and blocking requests that bypass SPA authentication patterns.

Prevent CSRF Attacks: Protect Every State-Changing Request

CWE-352 • OWASP A01/A04

The Invisible Session Hijack

CSRF attacks are invisible to the user. A malicious website, email, or ad silently triggers a request to your application using the victim’s existing session cookies. The server sees a valid session, valid cookies, and a seemingly legitimate request — and executes the action. No password needed. No login needed. The victim’s browser does all the work.

36% of web applications remain vulnerable to CSRF due to missing or improperly implemented protections

The impact ranges from account takeover and unauthorized fund transfers to privilege escalation and data modification. Even applications with CSRF tokens can be vulnerable if token validation is incomplete or bypassable.

CWE-352 (CSRF) OWASP CSRF Guide

How Attackers Exploit CSRF

Five techniques that force your users’ browsers into executing attacker-controlled requests.

📝

Hidden Form Submission

Auto-submitting forms embedded in malicious pages that POST to your application with the victim’s cookies.

<form action="bank.com/transfer" method="POST">

🖼️

Image Tag Exploit

Using <img src> tags to trigger GET requests that perform state-changing actions.

<img src="app.com/api/delete?id=123">

📡

XHR-Based CSRF

Using XMLHttpRequest or fetch() from a malicious page when CORS is misconfigured or credentials are included.

fetch('app.com/api/settings', {credentials:'include'})

🔑

Login CSRF

Forcing the victim to log into the attacker’s account, then capturing everything the victim does in that session.

POST /login with attacker credentials via hidden form

📦

JSON-Based CSRF

Sending JSON payloads via form submissions using enctype="text/plain" to bypass content-type checks.

{"email":"attacker@evil.com","role":"admin"}

How PowerWAF Blocks Every CSRF Vector

Five protection layers that validate every state-changing request — without touching your code.

🛡️

Origin Validation

Verifies that the Origin and Referer headers on state-changing requests match your application’s domain. Requests from foreign origins are blocked automatically.

Stops cross-origin form submissions

🔍

Custom Header Enforcement

Requires custom headers (X-Requested-With, X-CSRF-Token) on API and AJAX endpoints. Simple CSRF attacks can’t set custom headers due to browser CORS restrictions.

Stops XHR-based and API CSRF

🍪

SameSite Cookie Enforcement

Enforces SameSite=Strict or SameSite=Lax cookie attributes at the proxy level, preventing cookies from being sent on cross-site requests even if your application doesn’t set them.

Stops cookie-based CSRF at browser level

📊

Request Pattern Analysis

Detects anomalous patterns like state-changing GET requests, missing referer headers on sensitive endpoints, and content-type mismatches that indicate CSRF attempts.

Stops JSON CSRF and login CSRF

🧠

Content-Type Enforcement

Ensures API endpoints only accept the expected Content-Type (application/json). Blocks form-submitted payloads masquerading as JSON using text/plain encoding tricks.

Stops content-type bypass attacks

Protected in Minutes, Not Months

No CSRF tokens to implement. No middleware to configure. No code changes.

Point DNS

Change your DNS records to route traffic through PowerWAF. No server changes needed.

→

Instant Protection

PowerWAF immediately validates origins and blocks CSRF attacks on all state-changing requests.

→

Monitor Everything

Real-time dashboard shows blocked CSRF attempts, attacker origins, and targeted endpoints.

Ideal for applications with sensitive forms, payment flows, and account management endpoints.

See PowerWAF in Action

Real-time view of CSRF attacks being detected and blocked at the edge.

powerwaf-access-log — live

10:15:03 BLOCKED 198.51.100.87 POST /account/change-email → CSRF: Origin mismatch (evil-site.com)

10:15:04 BLOCKED 198.51.100.23 POST /api/transfer → CSRF: Missing Referer, no X-Requested-With

10:15:05 ALLOWED 203.0.113.50 POST /account/settings → Valid request (matching origin + CSRF token)

10:15:06 BLOCKED 203.0.113.42 POST /admin/users/promote → CSRF: Cross-origin form submission

10:15:07 BLOCKED 198.51.100.87 GET /api/delete-account?confirm=yes → CSRF: State-changing GET request

10:15:08 ALLOWED 198.51.100.12 POST /api/orders → Valid API request (Bearer token auth)

10:15:09 BLOCKED 198.51.100.23 POST /api/settings → CSRF: text/plain content-type with JSON body

10:15:10 BLOCKED 203.0.113.42 POST /login → Login CSRF: Foreign origin login attempt

Simulated log showing PowerWAF blocking CSRF attempts while allowing legitimate authenticated requests.

Proven Protection at Scale

< 5 min Average setup time — DNS change only

0 Lines of code to change in your application

24/7 Real-time monitoring and automatic blocking

Real-World Scenarios

Banking Application with Wire Transfers

A banking app processes wire transfers via POST requests. An attacker embeds a hidden form on a forum that auto-submits a transfer when any logged-in bank customer visits. PowerWAF blocks the cross-origin POST — the transfer never executes.

E-Commerce Account Takeover

Attackers craft emails with invisible image tags that trigger password reset or email change requests on an e-commerce platform. PowerWAF detects the missing referer and cross-origin nature of the request and blocks it instantly.

SaaS Admin Panel Privilege Escalation

A SaaS admin dashboard lacks CSRF protection on the user role management endpoint. An attacker tricks an admin into visiting a page that promotes the attacker’s account to admin. PowerWAF validates the origin header and blocks the forged request.

Works with any web platform

WordPress

Laravel

Django

Node.js / Express

Ruby on Rails

ASP.NET

React / Next.js

Spring Boot

WooCommerce

Custom Apps

Frequently Asked Questions

What is CSRF (Cross-Site Request Forgery)?

CSRF is an attack that forces an authenticated user to execute unwanted actions on a web application. The attacker crafts a malicious request and tricks the victim’s browser into sending it while the user is logged in. The server cannot distinguish between the legitimate user’s request and the forged one. It is classified as CWE-352.

How does PowerWAF prevent CSRF attacks?

PowerWAF prevents CSRF through multiple layers: Origin and Referer header validation, custom header enforcement for AJAX requests, SameSite cookie policy enforcement, and behavioral analysis that detects anomalous state-changing request patterns — all without requiring changes to your application code.

Can CSRF work on APIs?

Yes, under certain conditions. If your API uses cookie-based authentication and accepts simple content types (application/x-www-form-urlencoded), it can be vulnerable. APIs using token-based auth (Bearer tokens in headers) are generally safe. PowerWAF enforces proper authentication patterns for API endpoints.

What is the difference between CSRF and XSS?

XSS injects malicious scripts that run in the user’s browser. CSRF forces the user’s browser to make unwanted requests using their existing session. XSS exploits the user’s trust in a website; CSRF exploits the website’s trust in the user’s browser. PowerWAF protects against both.

Do I need to add CSRF tokens to my forms?

CSRF tokens are a best practice, but PowerWAF provides protection even without them. By validating Origin headers, enforcing Referer policies, and analyzing request patterns, PowerWAF blocks CSRF attacks at the WAF layer.

Does PowerWAF work with single-page applications?

Yes. SPAs typically use AJAX requests with custom headers, which provides natural CSRF protection. PowerWAF enhances this by validating origins, enforcing CORS policies, and blocking requests that bypass SPA authentication patterns.

Explore More WAF Protection

PowerWAF covers the full OWASP Top 10. Explore protection for other attack categories.

Protect Your Users Today

No credit card required. No code changes. Set up in under 5 minutes.

Start with a Free Plan See Prices

Limited free plan spots available