protection against CSRF without hidden input in all forms

Question

I wonder if I could put the crsf token in <head>, on a meta tag or something, and then access it on my server. It would really simplify the process and make it more transparent. I just don't know how. I was really hoping to do this without javascript involved.

I think rails implements something like that...with etags maybe?

Answer 1

The OWASP csrf prevention guide details a technique using custom headers in which the server sets the csrf token in a cookie, using HMAC of a server side secret and some data unique to the session is common. Then the client writes this into a custom header on all requests to the server. No hidden inputs needed, no extra server state.

Answer 2

There are many methods listed on the CSRF prevention cheat sheet. One that doesn't require a hidden field on every form, is to check the referer. Keep in mind the lack of the referer should be considered a CSRF attack and may cause problems with some privacy browser addons (which is very uncommon).

Answer 3

The fundamental purpose of a CSRF token is that it is delivered back to the server with each form submission. You deliver the unique token to a page, and when the form on that page is submitted the token comes back with it.

If you don't include the token on the form (or use JavaScript to programmatically add a token to the form that's currently elsewhere on the page) it will not be sent back to the server.

Perhaps the better question is: what is it you're really trying to accomplish? In other words, why would you not want to include a CSRF token within the form? What's the disadvantage you'd like to overcome in your scenario?