Is it good practice to store the csrf token in a meta tag?

Question

Is it good practice to store the csrf token in a meta tag?

If I make a POST request without using a form and want to prevent a CSRF attack, I can do this to set the csrf token in the meta tag and return it to the header when the request is launched. Is this a good practice?

<meta name="csrf-token" content="xxx">

Put the marker back through the header using jQuery, for example:

 $.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });

+7

jquery meta-tags csrf

tony.0919 Apr 16 '15 at 16:12

source share

1 answer

ajon · Accepted Answer · 2015-08-15T05:37:58+0000

Yes, this is a good practice. If you use ajax, I think this is the cleanest solution.

You can also put a marker inside the form (which is more convenient if you submit the entire form), but if you use ajax, you just need to go somewhere so that you can capture it.

in a hidden field or in a meta tag are both very good options.

Is it good practice to store the csrf token in a meta tag?

More articles: