I'm working on a web application which stores an authentication token in a cookie.
The only CSRF-protection is referrer checking.
I am considering improving this by moving the authentication token from cookies to a custom header, such as X-AuthToken.
The application is a single page application created using JavaScript.
I believe this should be a robust protection against CSRF-attacks, because if an evil site forces a users browser to do a HTTP POST, the auth header won't be included and the request will fail.
The auth token is generated on a per-session basis.
Am I right that this would offer CSRF protection or am I missing something?
Aucun commentaire:
Enregistrer un commentaire