If my Ajax requests set a X-Requested-With header, can I just skip the CSRF check if this header is present? Can I be sure it cannot be forged (with the user session)?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
If my Ajax requests set a X-Requested-With header, can I just skip the CSRF check if this header is present? Can I be sure it cannot be forged (with the user session)?
As long as you don’t have a wide open crossdomain.xml (you might have this b/c you host flash content on you site?) or your visitors have old browsers; you should be rather safe. Though I would recommend the use of a “crumb”-token (random value in cookie and the same value in the requests). This b/c flash may set the X-Requested-With and I think that old IE versions allow you to do too (not sure on this one though).
With “can I just skip the CSRF check” I assume you refer to this crumb/token? B/c checking X-Requested-With is a way of checking against CSRF.
Since this header is optional browsers may not always send it, and according to this page they seem to not do it over SSL.