Traditional HTTP requests flow throught the network "pipe" (TCP connection) and the pipe only allows requests to flow in 1 direction ("to" or "from") and only 1 request can be be sent through the at once (Single-plexing).
HTTP 1.1 allows browser to form 6 such TCP connections to the server. This approach was quite expensive as servers held resource descritptors which eats a lot of server memory.
HTTP2 enabled multiplexing thought the same network pipe. The pipe has different streams and each stream carriers an ID which lets client map the responses to its respective client.
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally.
For a CSRF attack to be possible, three key conditions must be in place:
- A relevant action. There is an action within the application that the attacker has a reason to induce. This might be a privileged action (such as modifying permissions for other users) or any action on user-specific data (such as changing the user's own password).
- Cookie-based session handling. Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. There is no other mechanism in place for tracking sessions or validating user requests.
- No unpredictable request parameters. The requests that perform the action do not contain an