The classic method used by most developers to properly fix this vulnerability is by adding a secret token or nonce, called an anti-CSRF token, to every sensitive request, which is then verified by the server for authenticity.

Let's come back to our banking web application and see how it can be fixed by adding a secret token alongside other request parameters.

Assuming the user is logged into the banking application, the server assigns his session with a unique anti-CSRF token, say ABC123, to all sensitive forms and URLs. Now to transfer 500 dollars to John the URL would become the following:

https://bank.example.com/transfer/money?username=John&amount=500&token=ABC123

This token parameter's value will be checked and validated ...