Cross site request forgery happens in authenticated session when the server is trust on the user.
CSRF attack occurs when a malicious website, email or program is performing the unwanted action by the user on an untrusted website for which user is currently authenticated.
CSRF coming when the attacker injects the bogus referrer header. Sometimes developer not restrict the referrer header(origin and target source) on the master page or taking the default header on the page.
Defense CSRF(Cross site request forgery)
1. Check standard header to verify the request is the same origin
a. The origin request is coming from (Source origin)
b. The origin request is going to (target origin)
2. Check CSRF token
a. Validate the cookie token and form token
Configure the webSEAL to validate the referrer header incoming HTTP request
Referrer Header
<add name="Referrer-Policy" value="strict-origin" />