NB: This is the third post in a series of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a GET request without any other security: http://badbank.com/transfer?from=act1&to=act2&amt=