I have implemented CSRF protection on my website using a CSRF token in a hidden input field in my forms. However at some places in my website I don’t use a form for certain actions, e.g. a user can click a link to delete something (e.g. /post/11/delete). Currently this is open to a CSRF attack, so I want to implement a prevention for these links. How can I do this? I can think of two possible ways:
- Make all links (which for example delete something) into tiny forms with only one hidden field (the CSRF token) and one submit button (styled as a normal link).
- Add the CSRF token to the query-string
I don’t like either of those options:
- Styling a submit button to act exactly as a link might have some issues getting it correct (cross platform)?
- Although it will never be picked up by search engines and don’t like some random string in my URL (just aesthetics).
So is there a way I’m overlooking or are those two my options?
If you really don’t want URL parameters with long random values, you could implement a confirmation page for each Delete action, and have a form with your hidden field there.
Requests received at /post/11/delete without valid token will make the server respond with the confirmation page.
Requests received at /post/11/delete with valid token will trigger the deletion.