

Easy way to prevent CSRF - tinganho

What is the easiest and most secure way to prevent CSRF?<p>I was thinking about this for a long time. Every request, for instance images from a site send a HTTP Header called referer. HTTP referer is set in the browser based on what url the request comes from. Since Cross-site resource forgery, means that you are doing resource forgery on a cross site. That means every CSRF attack must send a HTTP referer. So if you are building a website, let say domain.com. Than you can easily check the HTTP referer that it has domain.com and not any other domain to prevent CSRF attack. And I think all web browser sends HTTP referer in every request.<p>I can not see any holes on this solution can you?
======
rojoca
Some people like to run their browser without sending REFERER headers. I know
chrome and firefox can both be configured to do so. That would mean these
users would not be able to use your site/app. Better to stick with the tried
and true method of a random-ish variable that goes into both the form and the
cookie with their values being checked against each other on submission.

------
lucb1e
I think you should ask this (or search for this) on
<http://security.stackexchange.com>

