What is a CSRF token?

A Cross-Site Request Forgery (CSRF) token is a secret, unique, unpredictable value tied to a user session. It is embedded in state-changing requests so the server can verify the request originated from the legitimate application, not a malicious third-party site.

Is this tool secure to use?

Yes. All generation happens entirely in your browser using the Web Crypto API's crypto.getRandomValues() , which is cryptographically secure. No token is ever transmitted to any server.

How long should my CSRF token be?

OWASP recommends at least 128 bits (16 bytes) of entropy. 32 bytes (256 bits) is a common production choice. 64 bytes provides very high entropy for extremely sensitive operations.

Which output format should I use?

Use hex for database storage and header values. Use base64 or base64url when you need shorter tokens. Use base64url (no padding) for URL parameters or JWT claims — it avoids characters that require percent-encoding.

How do I use this token in a form?

Store the generated token in the user's session on the server side. Embed the same token in your HTML form as a hidden input: <input type="hidden" name="_csrf" value="TOKEN_HERE"> . On form submission, verify the submitted token matches the session value.

CSRF Token Generator

Name: CSRF Token Generator
Availability: InStock
Author: Nham Vu

Generate cryptographically secure CSRF tokens using the Web Crypto API. Choose length and format, then copy for use in your forms.

Token Options

Token Length

Output Format

256

Entropy (bits)

Bytes

Characters

Generated Token

HTML Form Usage

Copied!

Summary

Generate cryptographically secure CSRF tokens using the Web Crypto API. Choose length and format, then copy for use in your forms.

How it works

Select the desired token byte length: 16 (128-bit), 32 (256-bit), or 64 (512-bit).
Choose an output format: hex, base64, or base64url (URL-safe, no padding).
Click "Generate Token" or any option to produce a new cryptographically random token.
The entropy in bits is calculated and displayed alongside the token.
Click "Copy" to copy the token to your clipboard for use in your application.

Use cases

Generate a one-time CSRF token to embed in HTML forms as a hidden field.
Create synchronizer tokens for AJAX requests sent as custom headers.
Produce URL-safe tokens for double-submit cookie CSRF mitigation patterns.
Generate secure nonces for Content Security Policy (CSP) headers.
Test CSRF protection implementations during security audits.

Frequently Asked Questions

Last updated: 2026-06-09 · Reviewed by Nham Vu