How does CSRF work, and what are the primary defenses?

CSRF abuses the browser automatically attaching credentials (cookies) to cross-site requests, letting a malicious page trigger state-changing actions as the logged-in victim. Defenses: anti-CSRF tokens (synchronizer or double-submit), SameSite=Lax/Strict cookies, and verifying Origin/Referer on state-changing requests. Note CSRF tokens don't help if you also have XSS.