NB: This is the third post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a GET request without any other security: http://badbank.com/transfer?from=act1&