Prevent CSRF on things which aren't part of forms in codeigniter

Question

I know that Codeigniter has a very useful security class which can prevent CSRF/XSRF if you use the form helpers, but since the CI url structure calls a lot of functions pretty much directly, how can I prevent CSRF for things like /action/logout without having an additional confirmation form like SE has?

Ideas I've had:

• Check page referrer
• Check requested MIME type (even possible?) (for image CSRF such as <img src="http://example.com/action/logout" />)
• Make all actions part of a form (not preferable)
• Include the CSRF token in the page URL (ugly and very bad, users like to copy and paste urls without regard for session IDs stored or other private information)

I won't bother protecting things like /account/view/1/cyclone/ since it doesn't perform an action and would at most be a waste of bandwidth.

Granted, I do know that some people like to code things to automate their website usage and I respect that, which is why I'll be creating an API for performing actions via code or automatically.

Answer 1

As a general rule, any form request that performs an action should use POST. For all else GET is permitted. Using POST will definitely help. I believe you can also include the token as a hidden field in the form instead of an ugly string in the URL. As for checking the requested MIME type, this is not possible. Do a print_r($_SERVER) and in there is basically everything you get from the user as well as server side stuff.