June 4, 2021

Are anti-forgery tokens really needed?

I know anti-forgery tokens can help prevent CSRF for standard POST requests. They’re not needed for GET requests assuming the API is a ReSTful API (GET doesn’t update the DB), and also not needed for PUT/DELETE since those are pre-flighted.

But, non-standard POST requests (ie POST requests that could only have been sent via Javascript) are also pre-flighted.
Why not get rid of anti-forgery tokens and just make app only accept POST requests that have `content-type: application/json;charset=UTF-8` ? POST requests with json as the body could only have been sent from Javascript, which means the browser would have pre-flighted it, which means your server is protected from CSRF.



Layered solution

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.