2 min read
What it is
CSRF (cross-site request forgery) tricks a logged-in user’s browser into making an unwanted request. The usual defence is a per-session token the server checks.
In the Credicorp API
The public ring is unauthenticated, so classic session-CSRF does not apply the same way. The consent endpoint accepts a forwarded snapshot without a CSRF check precisely because the edge already validated the visitor’s own form — the edge is the origin/CSRF trust boundary. Do not call it straight from the browser.
Frequently asked questions
Why is there no CSRF token on the consent endpoint?
Because it expects a trusted server-side forward from your edge, which has already validated the visitor’s banner interaction. The edge is the trust boundary, not a token.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.