Reputation: 193
CSRF Protection with Custom header other than X-Requested-By
This is related to the post https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token/23373#23373?newreg=9acf3e40d05f4d19a00eb58b160f8453
So if we have decided to use Custom Header Validation as a option for CSRF protection and if we need to use some other custom header other than "X-Requested-By" then what is the best way to do that
Upvotes: 2
Views: 1617
Answers (1)
Reputation: 1041
From the source code of CsrfProtectionFilter, the header to validate is defined as a private static variable. So it is not possible to change the header to validate.
private static final String HEADER_NAME = "X-Requested-By";
It is good to stick to the standards and use X-Requested-By.
But, still if you want to validate a separate header, you need to write your own filter, which is very easy. Just copy the class and change the header (which is not recommended)
Upvotes: 1
Related Questions
- Custom HTTP Header blocks Jersey CORS Filter
- Spring-Boot Post request with csrf header
- How set up headers in ajax POST request to include CSRF token
- Restassured CSRF protection with X-XSRF-TOKEN (like angularjs) header
- CORS headers on OPTIONS request with Jersey
- Jersey 2.x: How to add Headers on RESTful Client
- Is it safe to use a custom required HTTP header as a protection method from the CSRF for an API?
- Using Jersey to get a CSRF token through REST and use it in a login
- Setting "Origin" and "Access-Control-Request-Method" headers with Jersey Client
- Java & Jersey 1.17: Custom default response headers