Cross-site request foregery is one of many techniques an attacker might use to pwn a web application. In this article we take a close look at how exactly CSRF tokens work from the context of the Phoenix Web Framework. I set out to understand how CSRF tokens are generated and validated. I did it by tracing the flow of function calls through a Phoenix web applciation. It was a process that led me do