3.6 Cross-Site Request Forgery (CSRF)

This topic helps to understand the Cross-Site Request Forgery (CSRF).

In the case of XMLHttpRequest objects, the XMLHttpRequest object sets a custom HTTP header in the request, with the header value being the Cross-site request forgery token; The server then verifies for the presence of such a header and the Cross-site request forgery token. This serves as protection at endpoints used for XMLHttpRequest requests since only XMLHttpRequest objects can set HTTP headers (apart from Flash; and both cannot make cross-domain requests).