CSRF tokens are unique, unpredictable values generated by a server to protect web applications from Cross-Site Request Forgery attacks by ensuring that requests made on behalf of a user are intentionally initiated by the user. By embedding these tokens in forms and verifying them with each request, servers can confirm the legitimacy of actions and prevent unauthorized transactions.