Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. Much detailed & better explanation is here
To prevent CSRF attacks in SharePoint application pages, which POST’s (http) data to the server, use SharePoint FormDigest Control. This FormDigest Control inserts a generated digest (token) into the form page, when it is requested (usually through GET )& in the code behind we can validate this token using SPUtility.ValidateFormDigest()to make sure that the form/page is not tampered with. Its a good practice to validate the FormDigest in the code behind, which writes data to the DB/Server/SP list,..ideally any write operation that uses RunWithElevatedPrivileges . Two steps:
1. Initialize FormDigest control in the custom application page.
2. Check for
in the code behind POST methods of application pages to make sure that the form is not tampered with.