Skip to main content

Posts

Showing posts with the label csrf

Is this sufficient to protect against a CSRF for an ajax-driven application?

I'm working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something like this: if(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') { fetch($page); } Is this generally sufficient to protect against cross-site request forgeries? It's rather inconvenient to have a rotating token when the entire page isn't refreshed with each request. I suppose I could pass and update unique token as a global javascript variable with every request -- but somehow that feels clumsy and seems inherently unsafe anyway. EDIT - Perhaps a static token, like the user's UUID, would be better than nothing? EDIT #2 - As The Rook pointed out, this might be a hair-splitting question. I've read speculation both ways and heard distant whispers about older versions of flash being exploitable for this kind of shenanigans. Since I know nothing about that