CSRF attacks are another popular way that applications can be overtaken, by forcing a user with elevated privileges to execute unwanted actions on their own site. Usually this happens when certain URLs on the application trigger a process simply by being accessed through the browser (and by being authenticated): for example, deleting a resource.

The most important thing to consider in this respect is to never have such actions happening simply by accessing a URL. To help with this, we have the powerful Form API, which already had token-based CSRF protection embedded from previous versions of Drupal. So basically you can create forms whose submit handlers perform the potentially damaging actions (as we learned in Chapter 2, Creating Your First Module) or even add a second layer using a confirmation form (as we saw in Chapter 6, Data Modeling and Storage, and Chapter 7, Your Own Custom Entity and Plugin Types, when talking about entities). The latter is actually recommended for when the action is irreversible or has greater implications.

Although the Form API should account for most use cases, we may also encounter the need to declare a callback URL that directly handles the process. And, to protect ourselves from CSRF attacks, we can use the CSRF token system as we saw in Chapter 10, Access Control, when we talked about the various types of access control. I recommend that you check out that chapter for more information on this topic.