I am new to web security. I was wondering how to properly use tokens for ajax requests and forms without submit buttons (e.g. status updates) to protect CSRF. Can someone show me some sample code? I know how to do it correctly for forms with a submit button. Also in my ajax folder, I have htaccess with the following:
SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax Order Deny,Allow Deny from all Allow from env=ajax
Is this sufficient protection for ajax requests, or should I also implement token protection for ajax requests?
, , () . . , , ajaxy, value , div, . script , .
, , AJAX , . ( Cheekysoft , raw JS, jQuery , .) , , ( ), .
, . ajax value . , . , , , , HTTPS, .
HTTPS, , -, -/starbucks, .
, jQuery , CSRF. - .
XHR GET, URL PHP script $_GET[]. XHR POST, POST PHP $_POST[].
$_GET[]
$_POST[]
GET
var token = getElementById( 'myHiddenField' ).value; var xhr = new XMLHttpRequest(); xhr.open( 'GET', 'server.php?token=' + token ); xhr.send( null );
POST
var token = getElementById( 'myHiddenField' ).value; var xhr = new XMLHttpRequest(); xhr.open( 'POST', 'server.php', true ); xhr.setRequestHeader( 'Content-Type', 'application/x-www-form-urlencoded' ); xhr.onreadystatechange = function() { if (xhreq.readystate != 4) { return; } // do client side stuff here }; xhr.send( 'token=' + token );