How to prevent http requests forgery if the content is private? (basically allow only requests from my interface , not browser)

Go To


Sorry for asking this again but ppl seem to connect csrf only with form submissions or form duplication (idk why).

My ideea would be to secure the data from outside requests . Set a token for each request , and start the tokenising since the user logs in so any attacker can't just load a previous page, get the token and send it for the next request . Is a good ideea to tokenise each request right from the start so the private users content won't be stolen ? I see this a powerfull attack against social websites that are't protected . Any attacker steal users data from another popular website .

2012-04-04 06:37
by Cata Cata


If I understand you right, wouldn't the apropriate thing to do (server side) to add cache-control: private header? This should cause any cache and/or proxy not to cache the content for other parties. Use it in conjunction with https and you should be alright.

2012-04-04 06:55
by jornare