I’m working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something like this:
if(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') { fetch($page); }
Is this generally sufficient to protect against cross-site request forgeries?
It’s rather inconvenient to have a rotating token when the entire page isn’t refreshed with each request.
I suppose I could pass and update unique token as a global javascript variable with every request — but somehow that feels clumsy and seems inherently unsafe anyway.
EDIT – Perhaps a static token, like the user’s UUID, would be better than nothing?
EDIT #2 – As The Rook pointed out, this might be a hair-splitting question. I’ve read speculation both ways and heard distant whispers about older versions of flash being exploitable for this kind of shenanigans. Since I know nothing about that, I’m putting up a bounty for anyone who can explain how this is a CSRF risk. Otherwise, I’m giving it to Artefacto. Thanks.
Advertisement
Answer
I’d say it’s enough. If cross-domain requests were permitted, you’d be doomed anyway because the attacker could use Javascript to fetch the CSRF token and use it in the forged request.
A static token is not a great idea. The token should be generated at least once per session.
EDIT2 Mike is not right after all, sorry. I hadn’t read the page I linked to properly. It says:
A simple cross-site request is one that: […] Does not set custom headers with the HTTP Request (such as X-Modified, etc.)
Therefore, if you set X-Requested-With
, the request has to be pre-flown, and unless you respond to pre-flight OPTIONS
request authorizing the cross-site request, it won’t get through.
EDIT Mike is right, as of Firefox 3.5, cross-site XMLHttpRequests are permitted. Consequently, you also have to check if the Origin
header, when it exists, matches your site.
if (array_key_exists('HTTP_ORIGIN', $_SERVER)) { if (preg_match('#^https?://myserver.com$#', $_SERVER['HTTP_ORIGIN']) doStuff(); } elseif (array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) && (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')) doStuff();