When a user submits a form or performs an action on a website, a CSRF token is included in the request. The server validates this token to confirm that the request is coming from an authenticated user and not from an attacker. If the token is missing or invalid, the server rejects the request, thereby preventing any potential CSRF attack.