Flourish PHP Unframework
This is an archived copy of the forum for reference purposes

isAjax & CRSF

posted by theyouyou 8 years ago

http://stackoverflow.com/questions/3315914/is-this-sufficient-to-protect-against-a-csrf-for-an-ajax-driven-application

According to the comments in the above link, the fRequest::isAjax would be sufficient as protection against CRSF attacks (if cross-domain requests are forbidden).

So no token are needed to be sent through Ajax requests and be regenerated right after.

Is that right ??

You can send the CRSF if you want, as a parameter in the $.ajax() function, but I think with isAjax() it's enough.

posted by jmtucu 8 years ago

Okay thanks.

I should worry about other security questions.

posted by theyouyou 8 years ago

I'd personally still use a security token. It's not much effort to add (both as in code and as in server work), and there's no difference on the other end, either. fRequest::isAjax relies on a HTTP header, which works because most everything supports it, but there's no guarantee that it'll continue to work as-is. Might as well cover your bases and use a token.

posted by rirez 8 years ago