CSRF (Cross Site Request Forgery) protection

Cross Site Request Forgery protection is a mechanism of guarding against a particular type of attack, which can occur when a user has not logged out of a web site, and continues to have a valid session. In this circumstance a malicious site may be able to perform actions against the target site, within the context of the logged-in session.
To guard against these type of attacks, you need to do two things:
  1. Ensure that the 'unsafe' HTTP operations, such as GETHEAD and OPTIONS cannot be used to alter any server-side state.
  2. Ensure that any 'safe' HTTP operations, such as POSTPUTPATCH and DELETE, always require a valid CSRF token.
In order to make AJAX requests, you need to include CSRF token in the HTTP header

Comments