Cross site forgery is also known as one-click attack or session riding and abbreviated as CSRF or XSRF (see Wikipedia – https://en.wikipedia.org/wiki/Cross-site_request_forgery). It is outlined in one of OWASP Top 10 security high vulnerability checklist – hence every developer must be aware of how to prevent this attack from their code.
If you browse to SharePoint application page inside hive folder, you will see following line:
<SharePoint:FormDigest runat=”server” />
this particular control will actually provide form digest which is set of token strings that has been generated by server for the requested page.
In the server side, there will be logic to validate this form digest before the server process the POST request from client (application page). The code is simply:
that will return true/false.
var formDigest = document.getElementById(“__REQUESTDIGEST”).value;
then use the formDigest as request body in addition to the actual form body post or as request header X-RequestDigest.
For reference, heads on following article – https://msdn.microsoft.com/en-us/library/office/gg552614(v=office.14).aspx?f=255&mspperror=-2147217396#Anchor_2