nakajuice
Reputation: 692
Is application enough secured against CSRF-attacks if I send AJAX requests with jQuery and only validate them X-Requested-With?
According to this article it is enough to validate X-Requested-With header for AJAX requests sent by jQuery. So in this case it is not necessary to implement tokens?
And if yes, where is defined that cross-browser requests are not allowed?
Thanks in advance.
Upvotes: 0
Views: 139
Answers (1)
Spain Train
Reputation: 6006
The article itself says that this method is insufficient:
Warning
The method of preventing CSRF attacks described in this post is now considered to be insufficient. A comment on this post links to more details about an attack that circumvents it.
Upvotes: 1
Related Questions
- Is a CSRF token needed for "AJAX"-only "application/json"-only POSTs?
- Do I need a CSRF token for jQuery .ajax()?
- Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?
- CSRF only needed for ajax
- Is my CSRF protection method secure?
- Is this a secure way to prevent Cross-site Request Forgery (CSRF) attacks?
- CSRF and Ajax: Do I need protection?
- Theoretical AJAX CSRF
- protecting against CSRF on ajax requests and forms without submit buttons
- Are Ajax requests CSRF safe?