What is CSRF?

CSRF (Cross-Site Request Forgery) is an attack in which a malicious website causes a user's browser to send an unwanted request to another website where the user is authenticated. Because browsers automatically include cookies with requests, the target site may treat the forged request as legitimate and perform the action it encodes - transfer money, change email, delete an account.

Defenses include same-site cookies (browser refuses to send cookies on cross-site requests), CSRF tokens (a random value the server issues and expects back in sensitive forms), and double-submit patterns. Modern frameworks typically bake CSRF protection into their form helpers, so it is enabled by default rather than opt-in.

SheetLink Forms uses WordPress nonces (the platform's standard CSRF protection) on every admin form and every AJAX endpoint. A nonce is a short-lived token tied to a specific action and user. Settings saves, license activations, and integration tests all require a valid nonce - without one, WordPress rejects the request with a 403 Forbidden. The public form-submission webhook is protected differently: Apps Script validates a shared secret that only your WordPress site and your Sheet know.