1

I have compiled a flowchart to help me understand how to protect against CSRF in my AJAX application. I've used CSRF prevention successfully in the past on more standard web forms but this is the first time it's really needed to work in AJAX.

I guess I would like any feedback on if the logic works or not because this will be a high-security application that needs to timeout after no longer than 30 seconds and the token will need to be different for every single request as opposed to one for the whole session.

Diagram

DaveHolt
  • 119
  • 1
  • 3
  • 13

1 Answers1

0

This seems fine as long as your token value is generated by a CSPRNG with 128 bits of entropy. There's no need to hash the value on the client-side, although you could hash it using SHA-2 for storage on the server-side to prevent any exposure from compromising existing user-sessions.

Also I'm assuming your CSRF token is different than the authentication token - it is recommended for these to be separate as you do not want to manipulate and pass around the authentication token necessarily.

To further increase security you could check and set a custom AJAX header such as X-Requested-With because this cannot be passed by the browser cross-domain without CORS being enabled.

You could infact include your secure token within this header too. See this answer for details.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145