The present invention provides a CSRF
attack protection method and device. The background
server generates the token under the condition that the user request does not carry the token and writes the generated token into the browser cookie and the page request, and the token does not need to be stored in the background
server, so that the pressure of the background
server is reduced. When the user sends the user request again, the front-end preset script is triggered to run to write the token in the browser cookie and the page request into the user request, the background server realizes CSRF
verification by judging whether the cookie in the user request is the same as the token in the parameter or not due to the fact that the browser cookie cannot be captured by a
third party, the
verification logic for binding the token with the user does not need to be added, and therefore, the CSRF
attack problem can be simply and effectively solved.