Glossary

CSRF

CSRF — a term used across the Credicorp developer documentation, defined here for engineers integrating the public /public/v1 API.

2 min read

forgeryAttack type
edge boundaryWhere trust sits

What it is

CSRF (cross-site request forgery) tricks a logged-in user’s browser into making an unwanted request. The usual defence is a per-session token the server checks.

In the Credicorp API

The public ring is unauthenticated, so classic session-CSRF does not apply the same way. The consent endpoint accepts a forwarded snapshot without a CSRF check precisely because the edge already validated the visitor’s own form — the edge is the origin/CSRF trust boundary. Do not call it straight from the browser.

Frequently asked questions

Why is there no CSRF token on the consent endpoint?

Because it expects a trusted server-side forward from your edge, which has already validated the visitor’s banner interaction. The edge is the trust boundary, not a token.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.