Cross Site Request Forgery

Cross Site Request Forgery or CSRF is a very common vulnerability. It forces the user to execute unwanted actions on a web application.

An attacker can mount any of the actions that can be done by the logged in user such as modifying content, deleting data. All the actions that are available to the user can be used by the attacker.

To avoid this, you can send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.

If you are posting Form in ajax request, custom HTTP headers can be used to prevent CSRF.

For JQuery, if you want to add a custom header to -

a. individual request

$.ajax({

    url: 'xyz/',

    headers: { 'my-custom-header': 'somevalue' }

});

b. every request

$.ajaxSetup({

    headers: { 'my-custom-header': 'somevalue' }

});