6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"How to verify JQuery/AJAX referer to prevent CSRF?\",\"text\":\"

if ($_SERVER['HTTP_REFERER'] == \\\"????\\\")\\n

\\n\\n

What would the HTTP_REFERER be if this page was reached by a JQuery $.post request?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Norse\"},\"upvoteCount\":2,\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

try

\\n\\n

strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')\\n

\\n\\n

Note That not all servers provide this variable

\\n\\n

and you can read this \\nDetecting Ajax in PHP and making sure request was from my own website

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Muhannad A.Alhariri\"},\"upvoteCount\":4}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","php",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/php/1","children":"php"}]}],["$","span","jquery",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/jquery/1","children":"jquery"}]}],["$","span","http",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/http/1","children":"http"}]}],["$","span","csrf",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/csrf/1","children":"csrf"}]}],["$","span","referer",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/referer/1","children":"referer"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/66c92ee485db485ff66b21eab6f78be9?s=256&d=identicon&r=PG","alt":"Norse","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/1093634/norse","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Norse"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",5757]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"How to verify JQuery/AJAX referer to prevent CSRF?"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

if ($_SERVER['HTTP_REFERER'] == \"????\")\n

\n\n

What would the HTTP_REFERER be if this page was reached by a JQuery $.post request?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",2]}],["$","p",null,{"children":["Views: ",3809]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","9696089",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/d07cdd32257241e20c59476cba8d939d?s=256&d=identicon&r=PG","alt":"Muhannad A.Alhariri","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/716865/muhannad-a-alhariri","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Muhannad A.Alhariri"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",3912]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

try

\n\n

strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')\n

\n\n

Note That not all servers provide this variable

\n\n

and you can read this \nDetecting Ajax in PHP and making sure request was from my own website

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",4]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","28466549",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/28466549","className":"text-blue-600 hover:underline","children":"how to verify referrer inside a MVC or Web Api ajax call"}]}],["$","li","1413930",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1413930","className":"text-blue-600 hover:underline","children":"Is checking the referrer enough to protect against a CSRF attack?"}]}],["$","li","47221558",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/47221558","className":"text-blue-600 hover:underline","children":"CSRF only needed for ajax"}]}],["$","li","3132501",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/3132501","className":"text-blue-600 hover:underline","children":"How do I provide more security for checking source of the request"}]}],["$","li","26952107",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/26952107","className":"text-blue-600 hover:underline","children":"CSRF protection in PHP"}]}],["$","li","23448007",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/23448007","className":"text-blue-600 hover:underline","children":"Preventing CSRF with tokens in a AJAX based application"}]}],["$","li","16378600",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/16378600","className":"text-blue-600 hover:underline","children":"Preventing CSRF and XSRF Attacks for jQuery $.post"}]}],["$","li","14192863",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/14192863","className":"text-blue-600 hover:underline","children":"PHP: CSRF prevention, checking for remote addess"}]}],["$","li","8465318",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/8465318","className":"text-blue-600 hover:underline","children":"Is this all that needs to be done to prevent CSRF with PHP and Ajax?"}]}],["$","li","2797942",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/2797942","className":"text-blue-600 hover:underline","children":"PHP check http referer for form submitted by AJAX, secure?"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

How to verify JQuery/AJAX referer to prevent CSRF?

Answers (1)

Related Questions