I read this post Understanding CSRF – Simple Question
But I still do not understanding how the CSRF token can prevent a CSRF token.
The main problem which confused me is that why the attacker can make any http request to my site, but he cannot read back the response?
1、If I post a http request to get token before every post request, attacker also can make an “get token” request to get token.
2、If I set token to the hidden input while the .html page is loading, attacker also can make a “get html” request to get the this .html page and read the value of hidden page.
I just don’t understand why the attacker can make request but can not read the response?
The attacker cannot make the request himself at all. What he can do is trick his victim (or the victim’s browser) to make that request. So any response would go back to the victim’s browser, too.
The problem here is that the attacker can choose the URL, and even without seeing any response, accessing that URL may have harmful consequences for the victim.
The reason why the attacker needs to trick the victim into making the request (as opposed to just accessing the URL himself) is that if the victim does it, the victim’s session cookies will also be sent along, so it looks like an authenticated action for the server.
The attacker can only get a hidden input for his own session, not for the victim’s session. This hidden input will be different from session to session (otherwise there is not point).
The CSRF token makes sure that every (critical) request includes a random piece of data that must match the user’s session. This way, an attacker cannot just guess what the complete URL would be, and trick someone into clicking on it.