Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Easy way to prevent CSRF
1 point by tinganho on May 31, 2013 | hide | past | favorite | 2 comments
What is the easiest and most secure way to prevent CSRF?

I was thinking about this for a long time. Every request, for instance images from a site send a HTTP Header called referer. HTTP referer is set in the browser based on what url the request comes from. Since Cross-site resource forgery, means that you are doing resource forgery on a cross site. That means every CSRF attack must send a HTTP referer. So if you are building a website, let say domain.com. Than you can easily check the HTTP referer that it has domain.com and not any other domain to prevent CSRF attack. And I think all web browser sends HTTP referer in every request.

I can not see any holes on this solution can you?



Some people like to run their browser without sending REFERER headers. I know chrome and firefox can both be configured to do so. That would mean these users would not be able to use your site/app. Better to stick with the tried and true method of a random-ish variable that goes into both the form and the cookie with their values being checked against each other on submission.


I think you should ask this (or search for this) on http://security.stackexchange.com




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: