Drupal 8 security features: Cross site request forgery (XSRF)

This is the third part of the blog series about the Drupal 8 security features. We already covered Drupal community’s general approach to security, Cross site scripting and SQL injection. I strongly recommend you to read the first and second part if you didn’t do that yet.

Cross site request forgery (XSRF)

Cross site request forgery is a vulnerability that allows attackers to transmit unauthorized commands from a 3rd party site to the site that trusts the given user. Its results can be similar to XSS, but it works in a slightly different way.

Let’s assume there would exist an URL, that would allow users to delete a Drupal node without confirmation. In this case attacker could build a web page that would try to trick someone with admin permissions on the attacked site to click on a link to that URL. Drupal’s confirmation page comes into the equation at this point.

Looks familiar?

Yes, this page does not exist to annoy you and your clients since “it introduces a UX regression due to an extra click”. It is actually there to protect you from the XSRF attacks. Thank you Drupal!

Another way of XSRF attack is through a form. Let’s assume attacker could trick admin user to do an unauthorized POST request to the permissions form in Drupal. This could have disastrous results.

In order to prevent that Drupal’s form API generates unique form token (using SHA256 HMAC and a secret key) each time a form is loaded or updated. If the token is missing or changed it won’t allow submissions of that form. This ensures that the user that is submitted the form actually loaded it too.

General Drupal’s recommendation is to never use custom HTML forms and to use Form API instead.


Someone tries to do a POST request on admin user’s behalf. But since that person doesn’t know what is the valid value for the form token it tries to submit without it or with some arbitrary value.

Drupal detects that and refuses to accept the submitted data:

That’s it for today. Next time we’ll see how Drupal sanitizes user-submitted data if forms. Follow us on Twitter to stay tuned!

Do you need security review of your Drupal site or module? Get in touch!