The attacker has no way to get the token. Therefore the requests won’t take any effect.
I recommend this post from Gnucitizen. It has a pretty decent CSRF explanation: http://www.gnucitizen.org/blog/csrf-demystified/
More Related Contents:
- How to properly add cross-site request forgery (CSRF) token using PHP
- Where to store JWT in browser? How to protect against CSRF?
- What is the best way to prevent session hijacking?
- CSRF protection: do we have to generate a token for every form?
- Difference between CSRF and X-CSRF-Token
- How easily can you guess a GUID that might be generated?
- Should be used for JSF 2.2 CSRF protection?
- Am I under risk of CSRF attacks in a POST form that doesn’t require the user to be logged in?
- What is token-based authentication?
- Non-random salt for password hashes
- Prevent PDF file from downloading and printing
- Cross Domain Form POSTing
- Are HTTPS headers encrypted?
- JWT refresh token flow
- What do I need to store in the php session when user logged in?
- How secure is a HTTP POST?
- Payment Processors – What do I need to know if I want to accept credit cards on my website? [closed]
- What’s the right OAuth 2.0 flow for a mobile app
- Declaring Spring Bean in Parent Context vs Child Context
- Moving old passwords to new hashing algorithm?
- Is it secure to submit from a HTTP form to HTTPS?
- How to prevent arbitrary client apps from using anonymous web API?
- Is HTTP header Referer sent when going to a http page from a https page?
- Is it possible to reverse a SHA-1 hash?
- Secure Google Cloud Functions http trigger with auth
- Secure and Flexible Cross-Domain Sessions
- Are JSON web services vulnerable to CSRF attacks?
- What are best practices for securing the admin section of a website? [closed]
- How to send password securely via HTTP using Javascript in absence of HTTPS?
- My website got hacked.. What should I do? [closed]