CSRF, CORS, and HTTP Security headers Demystified mybank.com/transfer-funds. Since you are logged in to mybank.com, this request is made with your mybank.com cookies and will silently initiate a money transfer out of your account. Since ' mybank.com' are different origins, the browser refuses to provide the response to evil.com (because of CORS), but the attacker doesn't care, the money's already been transferred. Now if Each time mybank.com serves a form to a user, it generates a CSRF token and inserts it into a hidden field in the form If a POST request is received, it checks the CSRF token against its database - if this is present and